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Introduction 


The goal of this book is help you prepare for the SC-300 Exam: Microsoft Identity and Access 
Administrator certification. This exam targets IT professionals who design, implement, and 
operate an organization's identity and access management systems by using Microsoft Azure 
Active Directory (Azure AD). This exam focuses on topics such as the planning and implement- 
ing of identity governance, self-service management capabilities, secure authentication and 
authorization, monitoring, troubleshooting, and reporting across the organization. This book 
provides comprehensive coverage of exam domain objectives, including hands-on exercises, 
explanations, exam tips, and demonstrations of real-world design scenarios. While we've made 
every effort possible to make the information in this book accurate, Azure is rapidly evolving, 
and it's possible that some parts of the Azure portal interface might be slightly different now 
than they were when this book was written, which might result in some figures in this book 
looking different than what you see on your screen. It’s also possible that other minor interface 
changes have taken place, such as feature name changes and so on. 


This book covers every major topic found on the exam, but it does not cover every specific 
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft 
regularly adds new questions to the exam, making it impossible to cover specific questions. 
You should consider this book a supplement to your relevant real-world experience and other 
study materials. If you encounter a topic in this book that you do not feel completely comfort- 
able with, use the “Need More Review?" links that you'll find in the text to find more informa- 
tion and take the time to research and study the topic. Great information is available on MSDN, 
TechNet, and in blogs and forums. 


Organization of this book 


This book is organized by the “Skills measured” list published for the exam. The “Skills mea- 
sured" list is available for each exam on the Microsoft Learn website: https://learn.microsoft. 
com/microsoft.com/learn. Each chapter in this book corresponds to a major topic in the list, 
and the technical tasks in each topic determine a chapter's organization. If an exam covers six 
major topic areas, for example, the book will contain six chapters. 
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xiii 


Preparing for the exam 


Microsoft certification exams are a great way to build your résumé and let the world know 
about your level of expertise. Certification exams validate your on-the-job experience and 
product knowledge. Although there is no substitute for on-the-job experience, preparation 
through study and hands-on practice can help you prepare for the exam. This book is not 
designed to teach you new skills. 


We recommend that you augment your exam preparation plan by using a combination of 
available study materials and courses. For example, you might use this Exam Ref and another 
study guide for your “at home” preparation and take a Microsoft Official Curriculum course for 
the classroom experience. Choose the combination that you think works best for you. Learn 
more about available classroom training, find free online courses and live events, and take the 
Microsoft Official Practice Tests that are available for many exams at microsoft.com/learn. 


Note that this Exam Ref is based on publicly available information about the exam and the 
author's experience. To safeguard the integrity of the exam, authors do not have access to the 
live exam. 


Microsoft certifications 


Microsoft certifications distinguish you by proving your command of a broad set of skills and 
experience with current Microsoft products and technologies. The exams and corresponding 
certifications are developed to validate your mastery of critical competencies as you design 
and develop, or implement and support, solutions with Microsoft products and technologies 
both on-premises and in the cloud. Certification brings a variety of benefits to the individual 
and to employers and organizations. 


NEED MORE REVIEW? ALL MICROSOFT CERTIFICATIONS 


For information about Microsoft certifications, including a full list of available certifications, 
go to microsoft.com/learn. Check back often to see what is new! 


Quick access to online references 


Throughout this book are addresses to webpages that the authors have recommended you 
visit for more information. Some of these links can be very long and painstaking to type, so 
we've shortened them for you to make them easier to visit. We've also compiled them into a 
single list that readers of the print edition can refer to while they read. 


xiv 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Download the list at MicrosoftPressStore.com/ExamRefSC300/downloads. 


The URLs are organized by chapter and heading. Every time you come across a URL in the 
book, you can find the hyperlink in the list to go directly to the webpage. 


Errata, updates, & book support 


We've made every effort to ensure the accuracy of this book and its companion content. You 
can access updates to this book—in the form of a list of submitted errata and their related 
corrections—at: 


MicrosoftPressStore.com/ExamRefSC300/errata. 
If you discover an error that is not already listed, please submit it to us at the same page. 
For additional book support and information, please visit MicrosoftPressStore.com/Support. 


Please note that product support for Microsoft software and hardware is not offered 
through the previous addresses. For help with Microsoft software or hardware, go to support. 
microsoft.com. 


Stay in touch 


Let's keep the conversation going! We're on Twitter: twitter.com/MicrosoftPress. 
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Implement identities in 
Azure AD 


Azure Active Directory (Azure AD) is a cloud-based identity provider. It provides single 
sign-on access to Microsoft 365 and Azure clouds, thousands of pre-integrated Software as 
a Service (SaaS) applications, line-of-business applications, and platform as a service (PaaS) 
solutions. It provides seamless access for people located on site and remotely so that they 
can stay productive from anywhere. With Azure AD, you can collaborate with customers and 
partners using Azure AD B2B and Azure AD B2C technologies. With the Zero Trust approach, 
Multi-Factor Authentication (MFA), and passwordless authentication, you can provide secure 
access to your organization’s applications and resources. Governance features help you en- 
sure that employees and guests have the right level of access to the data when they need it. 


In this chapter, we will cover initial configuration steps after you have created or inherited 
an Azure Active Directory (Azure AD) tenant: configuring roles for administrators, domain 
names, creating users and groups, managing hybrid configuration with on-premises Active 
Directory Domain Services (ADDS). We will also cover external identities—managing guest 
user access with Azure AD B2B. 


Skills covered in this chapter: 
m Skill 1.1: Configure and manage an Azure AD tenant 
m Skill 1.2: Create, configure, and manage Azure AD identities 
m Skill 1.3: Implement and manage external identities 


m Skill 1.4: Implement and manage hybrid identity 
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New tenant setup—before you start 


C etting up a new Azure AD tenant is beyond the scope of this book. There are 
N 


J multiple ways to create a new tenant: 


m Sign up for Microsoft 365. 
m Create an Azure AD tenant using the Azure portal. 


= Sometimes Microsoft creates a tenant for your domain name, and you can later take 
over an unmanaged directory as an administrator. 


Review the following documentation and create your own test tenant: 
E https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active- 
directory-access-create-new-tenant 


E https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains- 
admin-takeover 


Azure AD tenant is an instance of Azure Active Directory that represents an orga- 
nization. Most organizations need only one Azure AD tenant, but there are valid 
scenarios for which an organization may need more than one Azure AD tenant: 


m National cloud deployments (Microsoft Cloud for US Government, Microsoft Cloud 
Germany, Azure and Microsoft 365 operated by 21ViaNet in China) 
m Requirements driven by government or industry regulations 
m SaaS provider scenario 
m Merge and Acquisition (M&A) scenarios 
For the purposes of this book, we will assume that one Azure AD tenant belongs to 
one organization unless stated otherwise. 


Azure AD tenant can be one of two types: 


= Azure Active Directory 
=m Azure Active Directory B2C 


Azure Active Directory B2C tenants serve the purpose of hosting customer-facing ap- 
plications. The type of the tenant cannot be changed after creation. For the purposes 
of this book and the SC-300 exam, we will cover only Azure Active Directory tenants. 


Implement identities in Azure AD 
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Skill 1.1: Configure and manage an Azure AD tenant 


With a new Azure AD tenant, you must take several steps for initial setup. In this section, we 
review the skills you need to manage role assignments—both tenant-wide and scoped to 
administrative units. Many organizations choose to configure custom domain names in their 
Azure AD tenant; in this section, we review reasons for this configuration and the steps for 
implementation. 


This skill covers how to: 

= Configure and manage Azure AD roles 

m Configure delegation by using administrative units 
m Analyze Azure AD role permissions 

= Configure and manage custom domains 


= Configure tenant-wide settings 


Configure and manage Azure AD roles 
Azure and Microsoft 365 have multiple Role-Based Access Control (RBAC) models, such as: 
m Azure AD roles (also known as Azure AD directory roles) 
m Azure resource roles 
m Exchange Online roles 
m Intune roles 
m Other product-specific role models 


To pass the exam, you must understand which roles will or will not be covered by the Azure 
AD RBAC model. 


Azure AD roles can have: 


m Azure AD specific permissions (such as Application Administrator or Authentication 
Administrator) 


m Permissions across the Microsoft 365 stack covering multiple products (such as Global 
Administrator or Global Reader) 


m High-level permissions for a specific product (such as Intune Administrator or Exchange 
Administrator) 


Azure AD roles do not have: 
m Permissions for Azure resources hosted in Azure subscriptions (such as VMs, websites, etc.) 


m Granular permissions within the RBAC model of Microsoft 365 products such as 
Exchange, Intune, etc. 


Skill 1.1: Configure and manage an Azure AD tenant 
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NEED MORE REVIEW? AZURE ROLES VS AZURE AD ROLES VS MICROSOFT 365 ROLES 


Read more about Azure resource roles vs Azure AD roles differences: 
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory- 
admin-roles 


Read more about Microsoft 365 roles vs Azure AD roles: 
https://docs.microsoft.com/en-us/azure/active-directory/roles/m365-workload-docs 


Azure AD roles can be: 
m Built-in roles. 


The list of Azure AD roles is constantly expanding. You can find up-to-date information 
at https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference. 


Find least privileged roles by task at https://docs. microsoft.com/en-us/azure/active- 
directory/roles/delegate-by-task. 


m Custom roles. 


To assign a role, you need to create a Role assignment. A role assignment consists of the fol- 
lowing elements: 


m A security principal—a user, group, or service principal that will receive permissions 
m Role information 

m Scope 

m Type of assignment 
Scope defines which objects the security principal will have control over. Possible options are: 
m Directory (Azure AD tenant) 

m Administrative unit 

m Azure AD resource (Azure AD group, Enterprise application, application registration) 
Type of assignment defines when permissions will be available. Possible options are: 

m Permanent eligible 

m Permanent active 

m Time-bound eligible 

m Time-bound active 


With eligible assignment, the security principal can get permissions just-in-time, when they 
need them. With active assignment, the security principal has permissions 24/7. 

Time-bound assignments are typically used when a user is assigned to some project with 
specified start and end dates. Otherwise, permanent assignments are used. 


We recommend having all Azure AD role assignments as eligible assignments with excep- 
tions only for emergency access accounts (also known as “break glass” accounts). 
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NEED MORE REVIEW? EMERGENCY ACCOUNTS 


Read more about emergency access accounts best practices at: 
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access 


NEED MORE REVIEW? PRIVILEGED IDENTITY MANAGEMENT PLANNING 


Read about types of assignments in Privileged Identity Management planning 
documentation at: https://docs.microsoft.com/en-us/azure/active-directory/privileged- 
identity-management/pim-deployment-plan 


To create an Azure AD role assignment using the Azure portal: 


1. Open Azure Active Directory > Roles and administrators and select the role. 
See Figure 1-1. You must select the actual role name (Application developer in this 
example), not the checkbox on the left. 


© | A Woodgrove Bank - Microsoft Ar x 


+ 


< > G () https://portalazure.com/#biade, 


Microsoft Azure A Search resources, services, and docs (G+/) a & A & © FF AbercrombieKim@woo.. © 
wooocnove nank GP 


Home > Woodgrove Bank 


8, Woodgrove Bank | Roles and administrators x 


Azure Achve Owectory 


+ New custom role 1 C) Refresh E Preview features F? Got feedback? 
© overview 


@ Get just-in-time access to a role when you need it using PIM. Learn more about PIM => 
GH Preview features 


X Diagnose and solve problems © Your Rote: Global administrator 
Manage Administrative roles 

Administrative roles are used for granting access for privileged actions in Azure AD. We recommend using these built-in 
Â uer roles for delegating access to manage broad application configuration permissions without granting access to manage 


other parts of Azure AD not related to application configuration. Learn more 


& Groups 
Learn more about Azure AD role-based access contro 
È External Identities 
2, Roles and administrators Search by name or description H7 Add filters 
æ Administrative units Role ta Description Type w 
iè Enterprise applications C7 p Application administrator Can create and manage all aspects of app registrat.. Built-in 
ER Devices @ © Application developer Can create application registrations independent o.. Built-in 
E App registrations go wp Attack payload author Can create attack payloads that an administrator ¢... Built-in 
A) identity Governance ip Attack simulation administ Can create and manage all aspects of attack simul.. Built-in 


E Application proxy 


@ Attribute assignment admi Assign custom security attribute keys and values t.. Built-in 


© Custom security attributes 


$ Attribute assignment reac Read custom security attribute keys and values for... Built-in 
(Preview) 


m Attribute definition admini Define and manage the definition of custom securi.. Built-in 


i Licenses 


FIGURE 1-1 Roles and administrators page. 


2. The next steps depend on the licensing level of your tenant—i.e., whether or not your 
license includes Azure AD Privileged Identity Management. In this book, we will assume 
that you have all necessary licenses. If you don't, you still can assign roles, but you won't 
have just-in-time capabilities or Custom roles functionality. 
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3. 


Select Add assignments in the Privileged Identity Management interface. See Figure 1-2. 
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+ Add assignments @& Settings C) Refresh $ Export De! Got feedback? 
Manage 


Š. Assignments Ehgible assignments Active assignments Expired assignments 


A Description O Search by member name or prinapal name 
Role settings Name Principal name Type Scope Membership 
No results 


FIGURE 1-2 Assignments page for the Application developer role. 


On the Membership tab of the Add assignments page, you specify security principals 
(members that should have roles assigned) and scope information. Available scope 
types depend on the role selected—for example, the User administrator role can be 
scoped to the administrative unit, since users can be included in an administrative unit, 
while the Application administrator role can be scoped to the Application or Service 
principal. Any role can be scoped to the Directory (tenant). Click Next. See Figure 1-3. 
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1 Memberts} 


4 


FIGURE 1-3 Add Assignments page for the Application developer role, Membership tab. 


CHAPTER1 Implement identities in Azure AD 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


On the Setting tab of Add assignments page, specify the Assignment type (Eligible 
vs Active) and start/end dates if necessary. Select Assign. See Figure 1-4. 


© | A Add assignments - Microsoft ix x | 
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Assignment type © 
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© Active 


Maximum allowed eligible duration is permanent 
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FIGURE 1-4 Add Assignments page for the Application developer role, Setting tab. 


After an assignment is created, you can find it on the Assignments page on either the 
Eligible assignments or Active assignments tab. See Figure 1-5. 


Use this page to remove the assignment or update assignment type if necessary. 


D | A. Application developer - Microso x | F 
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on/UserRolesViewM... 


P 
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LA Description 2 Search by member name or prinapal name 
# Role settings Name Principal name Type 
Application Developer 


Bagel, Jean Philippe Bagel@woodgrovehanl User 


FIGURE1-5 Add Assignments page for the Application developer role. 


Got feedback? 


Scope 


Directory 


AbercrombieKim@woo... 
wooncnavt nank GP 


Membership 


Direct 
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In the example above, we used the built-in Azure AD role. You can create your own Azure 
AD custom roles if you want to specify permissions granularly. 


1. Open Azure Active Directory > Roles and administrators and select New custom 
role. See Figure 1-6. 
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© overview 
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XK Diagnose and solve problems © Your Role: Global admunistrator 
Manage Administrative roles 

Administrative roles are used for granting access for privileged actions in Azure AD. We recommend using these built-in 
Â Users roles for delegating access to manage broad application configuration permissions without granting access to manage 


other parts of Azure AD not related to application configuration. Learn more. 
& Groups 

Learn more about Azure AD role-based access control 
@5 External identities 
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æ Administrative units Role 7s Description Type w 
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A) identity Govemance gp Attack simulation administ Can create and manage all aspects of attack simul.. Built-in 


E Application proxy D @ Attribute assignment admi Assign custom security attribute keys and values t.. Built-in 
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(Preview) r sig y ys 
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FIGURE1-6 Roles and administrators page. 


2. On the Basics tab of the New custom role page, specify the Name and Description 
and choose whether you want to start from scratch or clone a permissions list from an 
existing custom role. Click Next. See Figure 1-7. 
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FIGURE 1-7 New custom role page, Basics tab. 


3. On the Permissions tab of the New custom role page, select which permissions 
the new role will have. Click Next. See Figure 1-8. 
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Add permissions for this custom role. Currently, permissions for Application registrations and Enterprise applications are supported 
in custom roles. Learn more 


) Search by permission name or description 


Permission Ta Description Ws 
mixrosoft.directory/applicabonPolicies/alProperties/read Read all properties of apphcation policies 

microsoft. directory/opplicatonPoboes/alProperties/update Update all properties of applicabon polberes. 

microsoft directory/applicabonPolcies/basic/update Update standard properties of application policies, 
merosoft.directory/opplicatonPobues create Create spphcation pohoes. 

microsoft directory/applicsbonPohcies/createAsOwner Create application polices, Creator is added as first owner, 


mecrosoft. directory/opphcatonPohoes/delete Delete application poliaes 


oo0o0o0000 


mixrosoft.directory/applicationPolies/owners/read Read owners on application polices 


FIGURE1-8 New custom role page, Permissions tab. 
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NOTE PERMISSIONS IN CUSTOM ROLES 


Microsoft is constantly expanding its list of permissions available for custom roles. At 
the time of writing, custom role permissions are available for app registrations, enter- 
prise applications, app consent, devices, and group management—some of them Gen- 
erally Available and some in Public Preview. You can find an up-to-date list of available 
permissions on the Azure portal. Descriptions are available in the documentation— 
for example, for App registration permissions, see: https://docs.microsoft.com/en-us/ 
azure/active-directory/roles/custom-available-permissions. 


On the Review + create tab of the New custom role page, review the definition of a 
new Azure AD custom role, and select Create. See Figure 1-9. 


10 A New custom role - Microsoft Ar x 
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Basics Permissions Review + create 


Below is the definition of your role. Click Create to save it and then you can assign members to it 


Name Custom application management role 

Description 
Permission 7+ Description ts 
microsott.directory/applications. myOrganization/owners/read Read owners on single-directory applications. 
microsoft. directory/applications myOrganization/owners/update Update owner on singie-directory applications. 
microsoft.directory/apptications/allProperties/read Read all properties of all types of applications. 


FIGURE1-9 New custom role page, Review + create tab. 
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After an Azure AD custom role is created, assignments for this role can be managed the 
same way you'd manage them for Azure AD built-in roles. 


NEED MORE REVIEW? MANAGING AZURE AD ROLES WITH GRAPH API 


In the example above, we managed Azure AD roles with the Azure portal. Learn more about 
managing Azure AD roles with Graph API here: 


https://docs.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0 
https://docs.microsoft.com/en-us/graph/api/resources/unifiedroledefinition? 
view=graph-rest-1.0 
https://docs.microsoft.com/en-us/graph/api/resources/unifiedroleassignment? 


view=graph-rest-1.0 


NEED MORE REVIEW? AZURE AD ROLES 


Learn more about Azure AD roles from Azure AD roles documentation here: 
https://docs.microsoft.com/en-us/azure/active-directory/roles/ 


Configure delegation by using administrative units 


An administrative unit is a container in an Azure AD tenant that can include other resources for 
the purpose of delegating permissions. At the time of writing, administrative units can contain 
only users and groups. 


If you are familiar with Active Directory Domain Services (ADDS), you can compare an 
Azure AD administrative unit to an organizational unit in on-premises Active Directory Domain 
Services. Still, there are several differences between these technologies: in on-premises Active 
Directory Domain Services, organizational units were used both for Group Policies targeting 
and Role-Based Access Control. In Azure AD, administrative units are used for Role-Based Ac- 
cess Control only. 
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To list administrative units for the tenant, select Azure portal > Azure Active Directory > 
Administrative units. A new tenant doesn’t have any administrative units. See Figure 1-10. 
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FIGURE 1-10 Administrative units page for new tenant. 


To create an administrative unit: 
1. Select Azure portal > Azure Active Directory > Administrative units > Add. 
2. Specify a Name and Description (optional). 


3. Create an administrative unit by clicking Review + create or click Next: Assign roles 
to add a role assignment. 


4. If you chose to Assign roles, you will see a list of roles that can be assigned to adminis- 
trative units. As discussed earlier, at the time of writing, administrative units can contain 
only users and groups. Therefore, only roles applicable to users and groups are shown 
on this screen. See Figure 1-11. 
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FIGURE 1-11 Custom domain names page with a verified custom domain name listed. 


5. Select roles you want to assign security principals to and add security principals as del- 


egated administrators. Select Next: Review + create. 


6. Review the properties of the administrative unit and select Create. 


Use the Administrative unit page to: 


m Modify the Display name and Description of the administrative unit. 


m Add/remove objects to/from an administrative unit. At the time of writing, this applies 
to users and groups. 


m Assign roles to security principals that will manage objects from this administrative unit. 


See Figure 1-12. 
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FIGURE 1-12 Administrative unit page. 


NEED MORE REVIEW? ADMINISTRATIVE UNITS 


Read more about administrative units: 
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units 

In the preceding examples, we managed administrative units through the Azure portal. 
Read more about managing administrative units with Graph API here: 


https://docs.microsoft.com/en-us/graph/api/resources/administrativeunit? 
view=graph-rest-1.0 


Analyze Azure AD role permissions 


Earlier in the “Configure and manage Azure AD roles” section, we discussed the management 
of role assignments and custom Azure AD roles. 

In the SC-300 exam, you may be asked questions for which you need to identify permissions 
and roles necessary for a certain task. Documentation (https://docs.microsoft.com/en-us/azure/ 
active-directory/roles/permissions-reference) includes information about Azure AD built-in 
roles and actions they can perform (permissions they have). Note that most Azure AD built-in 
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roles have some actions listed that start with microsoft.directory/ These permissions allow the 
roles to create, update, or remove objects in Azure AD. Some roles also have permissions in 


other Azure and Microsoft 365 services and systems. At the moment of writing, these include: 


microsoft.azure.advancedThreatProtection/ - Azure Advanced Threat Protection 
microsoft.azure.devOps/ - Azure DevOps 

microsoft.azure.informationProtection/ - Azure Information Protection 
microsoft.azure.print/ - Microsoft Print 

microsoft.azure.serviceHealth/ - Azure Service Health 
microsoft.azure.supportTickets/ - Azure support tickets 

microsoft.cloudPC/ - Windows 365 

microsoft.commerce.billing/ - Microsoft 365 billing 
microsoft.commerce.volumeLicenseServiceCenter/ - Volume Licensing Service Center 
microsoft.dynamics365/ - Dynamics 365 

microsoft.edge/ - Microsoft Edge 

microsoft.insights/ - Microsoft Viva Insights 

microsoft.intune/ - Microsoft Intune 

microsoft.flow/ - Microsoft Power Automate 
microsoft.office365.complianceManager/ - Microsoft Purview Compliance Manager 
microsoft.office365.desktopAnalytics/ - Desktop Analytics 
microsoft.office365.exchange/ - Exchange Online 

microsoft.office365.knowledge/ - Microsoft 365 knowledge management 
microsoft.office365.lockbox/ - Microsoft Purview Customer Lockbox 
microsoft.office365.messageCenter/ - Message Center in Microsoft 365 admin center 
microsoft.office365.network/ - network locations 
microsoft.office365.usageReports/ - Office 365 usage reports 
microsoft.office365.protectionCenter/ - Microsoft 365 Defender 
microsoft.office365.search/ - Microsoft Search 
microsoft.office365.securityComplianceCenter/ - Security & Compliance Center 
microsoft.office365.serviceHealth/ - Service Health in Microsoft 365 admin center 
microsoft.office365.skypeForBusiness/ - Skype for Business Online 
microsoft.office365.sharePoint/ - SharePoint Online 
microsoft.office365.supportTickets/ - Microsoft 365 service requests 
microsoft.office365.usageReports/ - Office 365 usage reports 


microsoft.office365.userCommunication/ - user communication, including “What's 
New” messages 
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m microsoft.office365.webPortal/ - Microsoft 365 admin center 
m microsoft.office365.yammer/ - Yammer 

m microsoft.powerApps/ - Power Apps 

m microsoft.powerApps.powerBl/ - Power Bl 

m microsoft.teams/ - Teams 

= microsoft.virtualVisits/ - Virtual Visits app 


m microsoft.windows.defenderAdvancedThreatProtection/ - Microsoft Defender 
for Endpoint 


= microsoft.windows.updatesDeployments/ - Windows Update service 


Some roles can have restrictions that prohibit them from managing certain objects in an Azure 
AD tenant. For example, Exchange Administrator can manage Microsoft 365 group member- 
ship because they have microsoft.directory/groups.unified/members/update permission. But 
this permission won't apply to Role-Assignable Groups. 


Configure and manage custom domains 


Every user in Azure AD has a User Principal Name (UPN). This attribute uniquely identifies the 
user. The UPN consists of a UPN prefix (user account name) and UPN suffix (domain name) 
divided by the @ symbol. For example, alice@contoso.com has a UPN prefix of alice and a UPN 
suffix of contoso.com. 


A new Azure AD tenant has the initial domain name <companyname>.onmicrosoft.com. 
This means that your first user account(s) will have a UPN formatted as <useraccountname> 
@<companyname>.onmicrosoft.com. 


After a custom domain name is added to the tenant, it is possible to have UPNs formatted 
as <useraccountname>@<customdomain>. For example, alice@contoso.com. 


In addition to UPNs customization, custom domain names are also used to configure asso- 
ciation with third-party identity providers, for Application Proxy configuration, and for groups 
in Exchange Online. 


A key part of the custom domain name configuration process is verification: during veri- 
fication, Microsoft ensures that you are the one who owns or manages the custom domain. 
Verification is completed through DNS records: you add requested DNS records to the public 
DNS servers, and Microsoft uses this as a confirmation that it is indeed your domain. 


To list custom domain names for the tenant, select Azure portal > Azure Active 
Directory > Custom domain names. For the new tenant, only the initial domain name 
is listed. See Figure 1-13. 
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FIGURE 1-13 Custom domain names page for the new tenant. 


To add a new custom domain name: 


1. Select Add custom domain, provide the custom domain name that you have control 


over, and select Add domain. See Figure 1-14. 
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FIGURE 1-14 Add custom domain dialog. 
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2. On the next page, you will see DNS records. Microsoft asks you to add to the public DNS 
zone. See Figure 1-15. 


Either a TXT or MX record will work to verify a domain in Azure AD, but if you want to 
forward email for that domain you need an MX record. 


3. You can adda DNS record and click Verify. Adding a DNS record might take significant 
time—you may need to contact the DNS administrator of your company, go through 
internal change management processes for DNS records, wait for replication, and so on. 
For now, you can select the X] button in the top-right corner. A custom domain name 
is already added in the tenant; it is just not yet verified. See Figure 1-16 for an example 
of an added but not yet verified custom domain name. 
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FIGURE 1-15 Add custom domain dialog with DNS records for verification. 
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FIGURE 1-16 Custom domain names page with an unverified domain name listed. 


4. After DNS records have been successfully added and verification has completed, 
successfully verified domain names will be shown in Azure AD as such. See Figure 1-17. 
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FIGURE 1-17 Custom domain names page with the verified custom domain name listed. 


A custom domain name can be selected as primary. The primary domain is the default domain 
for new users. To make a domain name primary, select it and then select Make primary. 
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It is possible to add subdomains of existing custom domains. If a domain is already verified 
in the tenant and you add a subdomain, the subdomain will be verified automatically. 


To delete a domain, select Delete on the domain's page. It is recommended to remove all 
references to that domain in your tenant first: any users, email addresses, proxy addresses, app 
ID URIs that mention the custom domain you are going to delete. Alternatively, you can use the 
ForceDelete option—in which case the custom domain will be deleted even if there are objects 
referencing it, and references will be updated to the initial domain name, such as <company- 
name>.onmicrosoft.com. The following conditions should be met for the ForceDelete option: 


There should be fewer than 1000 references to the custom domain name. 
Any references where Exchange is the provisioning service must be updated or removed. 


The domain name shouldn't be purchased through Microsoft 365 domain 
subscription services. 


You are not a partner administering on behalf of another organization. 


No multi-tenant apps should have app ID URIs mentioning the domain subject 
for removal. 


NEED MORE REVIEW? CUSTOM DOMAINS 


Read more about managing custom domains at: 


https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage 


In the preceding examples, we managed custom domain names through Azure portal. 


Read more about managing custom domain names with Graph API at: 
https://docs.microsoft.com/en-us/graph/api/resources/domain?view=graph-rest-1.0 


Configure tenant-wide settings 


In this section, we will discuss tenant-wide settings shown from the tenant's Properties page 
and User Settings page. 


The tenant Properties page (see Figure 1-18) allows you to modify: 


Tenant Name 

Notification language 

Technical contact information 
Global privacy contact information 


Privacy statement URL 


NEED MORE REVIEW? PRIVACY INFORMATION IN AZURE AD TENANT PROPERTIES 


Read more about your organization’s privacy information in Azure AD: 
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory- 
properties-area 
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FIGURE 1-18 Tenant Properties page. 


During Azure AD tenant creation, you specify a Country/Region. Based on the country/ 
region information, the Datacenter location is determined. You cannot change the country, 
region, or datacenter location after the tenant is created. 


NEED MORE REVIEW? AZURE AD DATA LOCATION 


Read more about Azure AD data locations in this Azure Active Directory Data Security 
Considerations white paper: https://azure.microsoft.com/en-us/resources/azure-active- 
directory-data-security-considerations/ 


Users with Azure AD roles, including Global Administrators, don’t generally have permis- 
sions to manage Azure subscriptions associated with tenant or resources in Azure subscrip- 
tions. There still may be scenarios when a Global Administrator needs access to an Azure 
subscription—for example, to recover access if the original subscription owner has left the 
organization. The Access management for Azure resources toggle allows the Global Admin- 
istrator to elevate access and obtain a User access administrator role in Azure subscriptions as- 
sociated with the tenant. It is recommended to use this option to recover access when needed 
and to disable the option again after the operation is completed. 
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NEED MORE REVIEW? ACCESS MANAGEMENT FOR AZURE RESOURCES 


Read more about Global Administrators managing access for Azure resources: 
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access- 
global-admin 


Use the Azure portal > Azure Active Directory > User Settings page to control tenant- 
wide settings such as: 


m Restricting users from registering applications in the tenant. 


m Restricting users’ access to the Azure AD administration portal (Azure Active Directory 
on Azure portal). This doesn’t restrict users from doing anything through the API/ 
PowerShell, so it shouldn't be considered a way to protect from a dedicated attacker. 


m Sharing LinkedIn account connections: data sharing between Microsoft and LinkedIn 
that allows users to have information and insights from LinkedIn available in some 
Microsoft apps and services. 


NEED MORE REVIEW? LINKEDIN ACCOUNT CONNECTIONS DATA SHARING AND CONSENT 


Read more about this feature at: https://docs.microsoft.com/en-us/azure/active-directory/ 
enterprise-users/linkedin-user-consent 


Skill 1.2: Create, configure, and manage 
Azure AD identities 


An Azure AD tenant typically includes user objects and group objects (among other object 
types). In this section, we cover management of user and group objects in an Azure AD ten- 
ant—directly, not through synchronization from an on-premises environment. In this section, 
we also cover Microsoft 365 licenses assignment. An Azure AD tenant can have devices regis- 
tered in it—in this section, we also cover device registration options (Azure AD Registration, 
Azure AD Join, Hybrid Azure AD Join), related controls, and implementation steps. 


This skill covers how to: 

= Create, configure, and manage users 

= Create, configure, and manage groups 

= Configure and manage device joins and registrations, including writeback 


= Assign, modify, and report on licenses 
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Create, configure, and manage users 


Most Azure AD tenants include user objects that represent the organization's employees or 
associates. There are multiple ways that the user object can be created in Azure AD: 


The user object can be created directly in Azure AD (via Azure portal, API, PowerShell, 
or Azure CLI). 


The user object can be synchronized from on-premises Active Directory Domain Ser- 
vices with Azure AD Connect or Azure AD Connect cloud sync. 


For the rest of this section, we will focus on user objects created directly in Azure AD. 
Synchronization from on-premises environment will be covered in Skill 1.4: “Implement and 
manage hybrid identity.” 


To create a new user in the Azure portal: 


1. 


2. 


Open Azure portal > Azure Active Directory > Users > New user. See Figure 1-19. 
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FIGURE 1-19 The custom domain names page with a verified custom domain name listed. 


Keep Create user selected. See Figure 1-20. Specify a User name and name. Optionally, 
you can: 


m Seta First name. 
m Seta Last name. 


m Add the user to groups. 
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m Assign roles to the user. 
= Block sign in. 


m Set Usage location. You must set Usage location if the user will have a Microsoft 


365 license assigned directly. 


= Set Job info (Job title, Department, Company name, Manager). 
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FIGURE 1-20 New user creation dialog. 


Select Create. 


In the preceding example, we discuss creating a user with the Azure portal New user 

dialog. Other ways to create users include: 

m Upload a CSV file with user information to the Azure portal. Read more at: 
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-add 

m Use Graph API calls: https://docs.microsoft.com/en-us/graph/api/resources/ 
user?view=graph-rest-1.0 

m Use PowerShell: https://docs.microsoft.com/en-us/powershell/module/microsoft. 
graph.users/?view=graph-powershell-1.0 

m Use Microsoft School Data Sync: https://docs.microsoft.com/en-us/schooldatasync/ 
overview-of-school-data-sync 
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Once the user object is created, you can use the user profile page shown in Figure 1-21 to: 


= Modify the user's attributes, such as Name, User Principal Name, Job info, Contact infor- 
mation, and so on. 


m Manage Authentication methods available to users: email, phone number, Temporary 
Access Pass. 


m Manage Custom security attributes. 

m Assign roles to the user. 

m Assign applications to the user. 

m Add the user to administrative units. 

m Manage devices associated with the user. 

m Manage the user's licenses. 

m View sign-in logs and audit logs information for a user. 
m Revoke a user's sessions. 


m Delete a user. 
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FIGURE 1-21 User properties page. 
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Create, configure, and manage groups 


Group objects in an Azure AD tenant can be used in many scenarios, such as: 


Managing access to applications 
Assigning Azure AD roles 
Assigning Azure roles 


Assigning roles and permissions across various Microsoft 365 products such as Intune, 
Exchange Online, Cloud App Security, and others 


Managing group-based licensing 
Targeting Conditional Access policies 
Managing Authentication methods 


Managing Self-Service Password Reset 


As with user objects, there are multiple ways that group objects can be created in Azure AD: 


Group objects can be created directly in Azure AD (via Azure portal, API, PowerShell, 
Azure CLI). 

Group objects can be synchronized from on-premises Active Directory Domain Services 
with Azure AD Connect or Azure AD Connect cloud sync. 


Groups synchronized from on-premises environments are managed in on-premises envi- 
ronments; you can't modify them in Azure AD. 


In Azure AD, you can create two types of groups: 


Security groups 


Microsoft 365 groups 


Additionally, Microsoft 365 has concepts of Distribution groups and Mail-Enabled Security 
groups that are represented in Azure AD as read-only objects and are beyond the scope of 
this book. 


Security groups are used for granting access to resources. 


Microsoft 365 groups are used for collaboration between users, as well as between users 


and guests. 


26 


Implement identities in Azure AD 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


To create a group using the Azure portal: 


Open Azure portal > Azure Active Directory > Groups. Select New group. See 
Figure 1-22. 
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FIGURE 1-22 All groups page for the new tenant. 


Specify the properties of the group you are creating, as shown in Figure 1-23: 
= Group type—Security or Microsoft 365 

= Group name 

= Group email address (for Microsoft 365 groups only) 

= Group description (optional) 


= Azure AD roles can be assigned to the group—if the group will be role-assign- 
able. This setting can’t be changed later. 


= Membership type—if the group should be dynamic. You will find more information 
about dynamic groups later in this section. 


m Owners (optional) 
m Members (optional, for non-dynamic groups only) 


m Dynamic query (for dynamic groups only) 
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FIGURE 1-23 New group dialog. 


3. Select Create. 


In the preceding examples, we managed a group through the Azure portal. Read more 
about managing groups with Graph API at: https://docs.microsoft.com/en-us/graph/api/ 
resources/group?view=graph-rest-1.0 


Group nesting is supported only between Security groups. The Microsoft 365 group 
can't be added to any group, and no group can be added to the Microsoft 365 group. 


NEED MORE REVIEW? GROUP NESTING 


Read more about group nesting limitations at: https://docs.microsoft.com/en-us/azure/ 
active-directory/fundamentals/active-directory-groups-membership-azure-portal 
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Even though nesting is supported between security groups, not every feature within 
Azure AD recognizes nested membership. Read Azure AD service limits documenta- 
tion for up-to-date information on scenarios supported and not supported for nested 
groups: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/direc- 
tory-service-limits-restrictions. 


Both Security and Microsoft 365 groups can be dynamic groups. This feature allows 
you to configure complex attribute-based rules to populate group membership auto- 
matically. A dynamic group can include users or devices but not at the same time. 


Here is an example of a dynamic group membership rule (expression): 


user.department -eq “Finance” 


Here, the group will include all users from the Finance department. 


Dynamic groups support expression operators (such as Equals, Starts With, Match, etc.), 
logical operators (And, Or, etc.), strings, numbers, Boolean and array properties. 


NEED MORE REVIEW? DYNAMIC GROUPS 


Find more examples of dynamic group membership rules, operators usage, and supported 
properties in this documentation: https://docs.microsoft.com/en-us/azure/active-directory/ 
enterprise-users/groups-dynamic-membership 


Azure AD Self-Service Group Management allows users to create and manage their 
groups. Self-Service Group Management is supported for security groups and Microsoft 365 
groups but not mail-enabled security groups or distribution lists. 


By default, users can create Security and Microsoft 365 groups using the Access panel page 
https://account.activedirectory.windowsazure.com/r#/groups, API calls, or PowerShell com- 
mands. See Figure 1-24 for an Access Panel user interface example. After the group is created, 
the creator becomes the first owner and first member of the group. Later, an owner or adminis- 
trator can add additional owners and members to the group. For an owner to manage groups, 
they must use the Access Panel shown in Figure 1-24. For administrators to manage groups, 
they will need to use the Azure portal shown in Figure 1-22. 
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FIGURE 1-24 Access Panel, group management page. 


Users can request membership in groups that may be granted automatically or under the 
owner's discretion. This is controlled by the Join policy of the group. Groups have a Join policy 
with one of the following values: 


m This group is open to join for all users. 
m Only the owner of this group can add members. 
m This group requires owner approval. 


The Join policy is managed by the group owner, as shown in Figure 1-25. 
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Project members 


Group description (optional) 


Group poli 
Only the owner of this group can add members v 


This group requires owner approval 
This group is open to join for all users 


Only the owner of this group can add members 


FIGURE 1-25 Access Panel, group properties. 
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The first two options are available for group owners in the tenant by default. The third 
option is available to group owners only if an administrator enables it by setting “Owners can 
manage group membership requests in the Access Panel” to “Yes.” See Figure 1-26. 
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FIGURE 1-26 Group management settings, default values. 


To join a group: 
1. As a requestor (a user who needs to join a group), open the Access Panel, Groups 
page: https://account.activedirectory.windowsazure.com/r#/groups. 
2. Select Join group. 


3. Select the group you want to join and select Join group. See Figure 1-27. 
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FIGURE 1-27 Access panel, Join groups dialog. 


4. Provide business justification. 
5. Onthe page Your request has been sent to the owner of the group select OK. 
For the group owner to approve the request, they need to: 


1. Open the Access Panel, Groups page: https://account.activedirectory.windowsazure.com/ 
r#/groups. 


2. Select the notification button and review the request. See Figure 1-28. 


O | [ Access Panel Groups x Fe 


> G © https-//account.activedirectory.windowsazure.com/r#/groups A m G F (Svest 2) s. 


®© 


Li, Yale 
B® Microsoft LAMNA HEALTHCARE COMPANY R 


Notifications 
Grou ps Darrow, Alex requested to join 


“Project members” 


ss the project since January | JO Search groups 


Create group Join: 


Project members All Users 


FIGURE 1-283 The Access panel, Groups page shows a group join notification for the group owner. 


3 groups found. 


3. Select Approve or Deny. 


32 CHAPTER1 Implement identities in Azure AD 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Groups Expiration policy allows you to automatically remove Microsoft 365 groups that 
are no longer in use. When group expiration policy is enabled, all groups with user activity 
(such as document uploads, emails delivered) are renewed automatically, while for groups 
without user activity, owners should confirm if the group should be renewed and not deleted. 
Example settings for group expiration are shown in Figure 1-29. 


Group Expiration policy is not applicable to Security groups. 


© | A Groups - Microsoft Azure x + v ~ oC x 


€e G A  https://portal.azure.com/#blade/Microsoft_ AAD |AM/GroupsManagementMenuB.., A os S (Guest 8) 


AbercrombicKkim@woo... 
(LAMINA HEALTHCARE COMPANY 


g Groups | Expiration “ x 


amna Healt sre Active Direct: 


ÂR All groups 
Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners 
must have Exchange licenses to recerve notification emails. If a group is not renewed, it is deleted along with its associated 
content from sources such as Outlook, SharePoint, Teams, and Power BI. 


2% Deleted groups 


A Diagnose and solve problems 


Group lifetime (in days) * © 180 v 

Settings 

& General Email contact for groups with no owners DunkerAndrea@lamnahealthcare.com 
D 

& Expiration 

> Enable expiration for these Microsoft 365 Selected = None 
& Naming policy groups | 
Activity 


2B Privileged access groups (Preview) 
Access reviews 

E Audit logs 

J, Bulk operation results 

Troubleshooting + Support 


Ë New support request 


FIGURE 1-29 Group Expiration settings. 


Configure and manage device joins and registrations, 
including writeback 


Devices are represented in Azure AD in the form of device objects. You don’t generally need 
your device to be represented in Azure AD to sign in, but in certain scenarios having device 
objects is a prerequisite or significantly improves the user experience. These scenarios include: 


m Sign in to the device with Azure AD credentials 
m Single Sign-On to Azure AD 
m Device-based Conditional Access policies 


m Mobile Device Management enrollment 
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There are three join types that can be used to register a device in Azure AD: 
m Azure AD Registration 
m Azure AD Join 
m Hybrid Azure AD Join 


Azure AD Registration (previously known as Workplace Join) is for personal (BYOD—Bring 
Your Own Device) scenarios. It works for Windows 10 and above, iOS, Android, and macOS. 
During Azure AD Registration, the user adds their Azure AD account to the device, and the 
device will be represented in Azure AD. In some cases, Azure AD Registration can happen when 
the user installs a Microsoft app and signs in with their Azure AD account—for example, when 
the user installs Outlook on a personal device and signs in with their (corporate) Azure AD ac- 
count. Azure AD Registration doesn’t affect how the user signs in to the device itself; they will 
continue to sign in the same way they did before Azure AD registration occurred. 


Azure AD Join is for corporate devices with Windows 10 and above. A device is joined to 

an Azure AD tenant, and Azure AD users from that tenant can sign in to the device. Azure AD 
Joined devices are typically managed through Mobile Device Management (MDM) solutions, 
such as Intune. Azure AD Joined devices are not part of the on-premises Active Directory Do- 
main Services domain. It is possible to get Single Sign-On from an Azure AD Joined device not 
only to Azure AD but also to on-premises resources. Azure AD Join works great for corporate 
computers, especially for remote workforce, if you are OK with managing devices with MDM 
solutions rather than Group Policy. 


Hybrid Azure AD Join is for corporate devices running Windows 7 and above, Windows 
Server 2008 and above. Before Hybrid Azure AD Join process can be triggered, the device must 
be joined to the on-premises Active Directory Domain Services domain. After that, the device 
identity can be synchronized to Azure AD with Azure AD Connect and the device can complete 
the Hybrid Azure AD Join process. When a device is joined to Azure AD through the Hybrid Azure 
AD Join process, the device becomes represented in Azure AD tenant and the user gets Single 
Sign-On to Azure AD. Users will use on-premises Active Directory Domain Services mechanisms 
to sign in to a Hybrid Azure AD Joined device, which means line of sight to domain controllers will 
be required for certain scenarios, such as device password changes, user password changes, and 
TPM resets. Since the device is part of the on-premises Active Directory Domain Services domain, 
the device can be managed with Group Policy, but MDM is also an option. 


For new implementations, we recommend deploying Azure AD Joined machines (not Hybrid 
Azure AD Joined), as they don’t require line of sight to domain controllers or have other depen- 
dencies on on-premises Active Directory Domain Services. 
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NOTE ONE MACHINE HAVING MULTIPLE REGISTRATIONS 


A single machine can't be Azure AD Joined and Hybrid Azure AD Joined at the same time. But 
machines can be Azure AD Joined/Hybrid Azure AD Joined and Azure AD Registered. You can 
also mix Azure AD Joined, Hybrid Azure AD Joined, and Azure AD Registered machines in the 
same tenant. 


NEED MORE REVIEW? AZURE AD JOIN AND HYBRID AZURE AD JOIN DEPLOYMENT 
PLANNING 


Read more about planning Hybrid Azure AD Join implementation: 
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan 


Read more about planning Azure AD Join implementation: 
https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan 


All three options mentioned above (Azure AD Registration, Azure AD Join, Hybrid Azure 


AD Join) will provide you Single Sign-On to Azure AD. For Windows 10 and newer, in all three 
implementations it will be achieved by using a Primary Refresh Token (PRT). Read more about 
PRT at https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary- 
refresh-token. 


An administrator can control device registration: 


m For Azure AD Registered devices: An administrator can select whether users can register 
devices on the Azure AD > Devices > Device settings page. Azure AD Registration 
must be enabled if enrollment with Intune or MDM for Office 365 is enabled. See 
Figure 1-30. 


= For Azure AD Joined devices: An administrator can select which users can join devices on 
the Azure AD > Devices > Device settings page. See Figure 1-30. 


m For Hybrid Azure AD Joined devices: Service Connection Point (SCP) entry is required for 
a device to complete the Hybrid Azure AD Join process. SCP can be located in on-prem- 
ises Active Directory Domain Services domain or in the form of registry settings on the 
client machine. An administrator can remove SCP from the domain and add client-side 
registry settings on desired machines. 


NEED MORE REVIEW? CONTROL HYBRID AZURE AD JOIN DEPLOYMENT 


To read more about using SCP to control which machines should be Hybrid Azure AD 
Joined, visit: https://docs.microsoft.com/en-us/azure/active-directory/devices/ 
hybrid-azuread-join-control 


Skill 1.2: Create, configure, and manage Azure AD identities CHAF 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


35 
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Access. Set this device setting to No if you require Multi-Factor Authentication using Conditional Access. 


Maximum number of devices per user © 


FIGURE 1-30 Device settings—default configuration. 


NOTE SEAMLESS SINGLE SIGN-ON VS HYBRID AZURE AD JOIN 


One more way to implement Single Sign-On to Azure AD from a Windows machine is to 

use Seamless Single Sign-On (Seamless SSO, SSSO, Desktop SSO). This method will not use 
PRT, and you generally don’t need SSSO if you have PRT through an Azure AD Registered, 
Azure AD Joined, or Hybrid Azure AD Joined devices implementation. If you have Windows 7, 
Windows 8.1, or for some reason you don’t have PRT—Seamless SSO is the option you may 
consider. Seamless SSO will be covered in detail in the section “Implement and manage Seam- 
less Single Sign-On (Seamless SSO)” under Skill 1.4: “Implement and manage hybrid identity.” 


NEED MORE REVIEW? DEVICE IDENTITIES IN AZURE AD OVERVIEW 


Read more about device identities in Azure AD at: 
https://docs.microsoft.com/en-us/azure/active-directory/devices/ 


As discussed above, the Hybrid Azure AD Join process includes synchronization of device 
identity from on-premises Active Directory Domain Services to Azure AD. 
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There are also scenarios when information about a device must be synchronized in another 
direction—from Azure AD to on-premises Active Directory Domain Services. This is called 
Device writeback. Device writeback is used when you need to: 


m Enable Windows Hello for Business with hybrid certificate trust deployment (for Hybrid 
Azure AD Joined machines only) 


m Enable Conditional Access based on devices on ADFS 2012 R2 and higher (for environ- 
ments with Active Directory Federation Services—ADFS) 


Device writeback must be configured in Azure AD Connect. See Figure 1-78 for the Option- 
al features page of Azure AD Connect in Skill 1.4: “Implement and manage hybrid identity.” 


When you enable device writeback in Azure AD Connect, it provides you with PowerShell 
script that performs the following operations in your on-premises environment: 


m Creates containers and objects for the device registration configuration under 
CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn] 


m Creates containers and objects for devices under CN=RegisteredDevices,[domain-dn] 


= Gives Azure AD Connect necessary permissions to manage devices in on-premises 
Active Directory Domain Services 


NEED MORE REVIEW? DEVICE WRITEBACK 


Read more about device writeback configuration in Azure AD Connect at: 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect- 
device-writeback/ 


Assign, modify, and report on licenses 
Many Microsoft 365 services are available through licensing plans such as: 
m Azure Active Directory Premium P1/P2 
m Microsoft 365 E3/E5 
m Office 365 E1/E3/E5 
m Enterprise Mobility + Security E3/E5 


Some of these plans include other plans: for example, Enterprise Mobility + Security E3 
includes Azure Active Directory Premium P1, and Enterprise Mobility + Security E5 includes 
Azure Active Directory Premium P2, etc. 


NEED MORE REVIEW? MICROSOFT 365 LICENSING 


Find more information about available licensing plans on the Microsoft 365 licensing page: 
https://www.microsoft.com/en-us/licensing/product-licensing/microsoft-365 
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Before a user can have a Microsoft 365 service license assigned, they need to set the Usage- 
Location attribute to the value representing their country or region. Usage location is impor- 
tant because not all Microsoft services are available in all regions. 


m Cloud-only users can update their Usage location on the Azure portal > Azure Active 
Directory > Users > [Name] > Manage > Profile page. 


= For user accounts synchronized from on-premises Active Directory Domain Services, 
you can manage the msExchUsageLocation attribute on-premises (if you have on- 
premises Active Directory Domain Services schema extended for Microsoft Exchange) 


or use another attribute of your choice and synchronize it to UsageLocation by modi- 
fying synchronization rules. 


UsageLocation must be set before a license can be assigned to a user individually. If you 
assign a license to a group and one or more of the group's members doesn’t have the Usage- 
Location attribute set, the location of the Azure AD tenant will be inherited. 


To view licenses available in your tenant, open Azure portal > Azure Active Directory > 
Licenses > All products. See Figure 1-31. 


(| A Lenses - Microsoft Azure x | v = o x 
€ G Â https://portaLazure.com/#blade/Microsoft AAD IAM/LicensesMenuBlade/Products A w Se E (Guest A) 
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Home > Lamna Healthcare Company Licenses 
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Lamna Healthcare Company - Azure Active Directory 
+ Try/ Buy Bills Columns A? Got feedback? 
© Overnew 
X Diagnose and solve problems saa ais: Assigned — 
Enterprise Mobility + Security ES 250 2 248 
Manage 
| Microsoft 365 Business Premium 25 3 22 


% Licensed features 

% All products 

a Self-service sign up products 
Activity 

E Audit logs 

Troubleshooting + Support 


B New support request 


FIGURE 1-31 Manage licenses. 
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To assign a license: 


2. 


Ensure that users you need to assign a license to have the Usage location attribute set 
to their country or region. 
Select the checkbox near the license name and select Assign. 


On the Users and groups tab of the Assign license page, select Add users and 
groups and add those who will be licensed. See Figure 1-32. 


Select Next: Assignment Options. 


© | A Assigniicense - Microsoft Azure x 


Microsoft Azure 
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Assign license 


€ G Č _ https://portalazure.com/#biade/M 
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Users and groups 


Assignment options 


Review + assign 


Add 


sers and groups 


Name 


No users and groups assigned yet 


Next ; Assignment options > 


= 
gs ses >| 


FIGURE 1-32 Assign license page, Users and groups tab. 


On the Assignment options tab of Assign license page, you can turn specific prod- 
ucts On or Off for licenses that include multiple products. See Figure 1-33. Select Next: 
Review + Assign. 
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FIGURE 1-33 Assign license page, Assignment options tab. 


6. Review the options and select Assign. 


Skill 1.3: Implement and manage external identities 


With Azure Active Directory, you can provide business partners and consumers seamless ac- 
cess to applications and resources. In this section we cover Azure AD B2B. We discuss authen- 
tication options available for guests—many guests can get single sign-on to resource tenants 
using their existing accounts such as Azure AD accounts, Microsoft accounts, Google federa- 
tion, federated identity providers, etc. We discuss the process of inviting and re-inviting guests 
to your tenant. We cover collaboration settings applicable to guests. Also, we cover federation 
with identity providers. 


This skill covers how to: 

= Manage external collaboration settings in Azure AD 

= Invite external users, individually or in bulk (collectively) 
=m Manage external user accounts in Azure AD 


= Configure identity providers, including SAML or WS-Fed 
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Manage external collaboration settings in Azure AD 


With Azure AD, you can provide business partners and consumers seamless access to applica- 
tions and resources. Seamless authentication allows external users to “bring their own identity” 
and get access without the need to set up new credentials such as new passwords. Collabora- 
tion is protected with security features such as Conditional Access and Identity Protection. 


Azure AD B2B allows you to invite business partners to your tenant and provide them access 
to applications and resources. In Azure AD B2B, the invited party is called a Guest and the ten- 
ant they access as a guest is called a Resource tenant. To differentiate from a Guest, a regular 
user account is called a Member in this context. 


When you invite a guest, the only required field is an email address—everything else (name 
information, job title, personal message) is optional. After a guest is invited, they need to ac- 
cept the invite by following the redemption link and providing consent to access your tenant. 
The redemption link is already included in the invitation email, or you can provide it to a guest 
through other means. 


After a guest accepts an invite, the Identity issuer type will be identified based on the guest's 
email address: 
m Azure AD users will get the Single Sign-On experience. In this case, the tenant user ac- 
count location is called Home tenant. 


m A user with an email address matching the domain of a SAML/WS-Fed provider feder- 
ated with a resource tenant will get the Single Sign-On experience. This option is used 
when resource tenant administrator needs to provide Single Sign-On to guests from a 
domain that is not Azure AD verified. 


= Auser with the domain suffix of gmail.com or googlemail.com will get the Single Sign- 
On experience if the resource tenant admin configured Google federation. 


m A user with a personal Microsoft account will get the Single Sign-On experience. 
m |f none of the options above are applicable to a guest based on their email address: 


m Ifa one-time passcode is enabled in the tenant—for example, a passcode is sent 
to the guest over email—the guest can use the one-time passcode from email to 
sign in. 

m |fa one-time passcode is disabled in the tenant, the guest will be prompted to create 
an Azure AD self-service account or personal Microsoft account. 


NEED MORE REVIEW? AZURE AD B2B INVITE REDEMPTION 


Read more about Azure AD B2B redemption flow in the documentation: 
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/ 
redemption-experience 
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After a guest is invited, it is one more user account in the resource tenant. The difference 
with a regular user account will be that the regular user account has a User type of Member, 
while a guest has a User type of Guest. Like any other user account, Guest can have applica- 
tions assigned to it, can have Azure AD roles or roles in other RBAC systems, can be a member 
of groups, and can have permissions for various resources, etc. 


Use the Azure portal > Azure Active Directory > External Identities > External col- 


laboration settings page to manage tenant-wide settings of the Azure AD B2B collaboration. 
See Figure 1-34 and Figure 1-35. 
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FIGURE 1-34 External collaboration settings. 
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FIGURE 1-35 External collaboration settings (continued). 


By default, guest users have limited permissions in the resource tenant—less than a mem- 
ber of the tenant—but their permissions can still be considered too broad, depending on the 
business scenario. For example, by default, guests can read properties of groups in the tenant 
(including membership and ownership) and read certain properties of other users, including 
guests, in the tenant: display name, email, sign-in name, photo, etc. To limit information guest 
users can read in your tenant, you can change the Guest user access restrictions setting by 
setting it to Guest user access is restricted to properties and memberships of their own 
directory objects (most restrictive). 


NEED MORE REVIEW? PERMISSIONS FOR USERS AND GUESTS 


Read more about restricting guest access at: https://docs.microsoft.com/en-us/azure/ 
active-directory/enterprise-users/users-restrict-guest-permissions 


Read more about default user permissions at: https://docs.microsoft.com/en-us/azure/ 
active-directory/fundamentals/users-default-permissions 
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By default, any user can invite guests to the tenant. This means guests can invite new guests 
as well. By modifying the Guest invite restrictions setting you can control who can invite 
new guests: 


m Any existing user (member or guest) 


m Any member, and guests with specific administrative roles (Global Administrator, User 
Administrator, Guest Inviter) 


m Global Administrator, User Administrator, or Guest Inviter 
m Noone can invite new guests 


Azure AD External Identities self-service sign-up allows guests to use social identity 
providers (e.g., Azure AD, Microsoft Account, Email one-time passcode, Google, Facebook) to 
sign up to the application. Self-service sign-up works for applications built by resource tenant 
organizations and doesn’t work for Microsoft's first-party applications. Self-service sign-ups 
must be enabled on the External collaboration setting. After it is enabled, you need to create 
user flows and API connectors. 


NEED MORE REVIEW? AZURE AD B2B SELF-SERVICE SIGN-UP 


Read more about Azure AD self-service sign-up at: https://docs.microsoft.com/en-us/azure/ 
active-directory/external-identities/self-service-sign-up-overview 


As discussed earlier, the most important attribute of a guest in the invite process is their 
email address. By default, users that have permissions to invite guests can invite guests from 
any email domain. You can change that with the Collaboration restrictions setting—you can 
configure a list of domains that invites cannot be sent to or allow invites to be sent only to the 
specified domains. 


EXAM TIP 


External identities need licenses when it comes to Azure AD Premium features such as 
Conditional Access. Review documentation on the Monthly Active Users (MAU) model 
for External Identities pricing at https://azure.microsoft.com/en-us/pricing/details/active- 
directory/external-identities/ 
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Invite external users, individually or in bulk (collectively) 
There are multiple ways that a user can be invited as an Azure AD B2B guest to the resource tenant: 
m Individually with Azure portal 
m As part of a bulk invite with Azure portal 
m Individually with PowerShell 
m As part of a bulk invite with PowerShell 
m Using Graph API 


In addition to these methods, various applications may call Graph API to invite guests when 
they need to establish collaboration with external users. Examples are SharePoint Online, One- 
Drive for Business, or Teams: when you share a file with OneDrive or invite an external user to a 
Teams channel, this may lead to the creation of an Azure AD B2B guest account. 


To invite an Azure AD B2B guest individually using the Azure portal: 
1. Open Azure portal > Azure Active Directory > Users. See Figure 1-36. 
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FIGURE 1-36 All users page. 
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2. 
3. 


CHAPTER 1 


Select New guest user. 


On the New user page, keep the Invite user option selected. See Figure 1-37. 
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FIGURE 1-37 New user dialog. 


Provide an Email address of the new guest. 
Optionally, provide any of the following: 
m Name 

m Firstname 

m Lastname 

m Personal message 

m Groups 

m Roles 

m Block sign in 

m Usage location 

m Job title 

m Department 

m Company name 


m Manager 
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6. 


Select Invite. 


After the preceding steps are completed, the invited person will receive an email. See 
Figure 1-38. 
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FIGURE 1-38 Azure AD B2B guest invite email. 


At this time (before the invite is accepted by a guest), the guest user object already ex- 
ists in the resource tenant. The resource tenant administrator can add that user object 
to groups, assign permissions, add the user to roles, and perform other management 
tasks. But nobody can sign in with that user account yet because the invite hasn't yet 
been accepted. 


When the guest-to-be selects the Accept invitation link in the email, Azure AD identi- 
fies the Issuer type as described previously. If the guest-to-be is an Azure AD user, they 
are redirected to the consent page, where they can review the permissions that the 
resource tenant will have over their account if they accept an invite. See Figure 1-39. 
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according to their policies. Lamna Healthcare Company has 
not provided a link to their privacy statement for you to 
review. Lamna Healthcare Company may log intormation about 
your access, You can remove these permissions at 
hittps://myapps microsoft.com/lamnahealthcare.onmicrosoft.co 


m 
co 


SSS 
FIGURE 1-39 Review permissions page. 


8. After the guest selects Accept, they will be redirected to the My Apps portal, where 
they can see applications available to them in the resource tenant. The My Apps portal 
will open in the context of a guest account in the resource tenant. See Figure 1-40, 
where the user from the home tenant northwindelectriccars.onmicrosoft.com signed in 
to the resource tenant lamnahealthcare.onmicrosoft.com as a guest. 


E | OEE MyApps x E - ÖÖ xX 
€ G ©) bttps://myapplications.microsott.com A E E-a (Guest 2) s 
2 | H 


My Apps v | © Search apps So ? + (we) 


© Apps view customization is available - You can now customize your Apps view! Organize apps the way yo Lamna Healthcare Company Sign out 


Apps © Waxman, Peter 


— WP | WaxmanPeter@northwindele. 


There are no apps to show. Hide this caliection 


(A,) Sign in with a ditterent account 


FIGURE 1-40 My apps page. 
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To bulk invite guests using the Azure portal: 


1. 
2. 


Open the Azure portal > Azure Active Directory > Users page, as shown in Figure 1-36. 


Select Bulk operations > Bulk invite. See Figure 1-41. 


G © https 


Microsoft Azure 


@ Users | All users 


& Allusers 
& Ocleted users 
Password reset 

Æ User settings 
A Diagnose and solve problems 
Activity 
D Sign-in logs 
Audit logs 

+ Bulk operation results 
Troubleshooting + Support 


R New support request 


4 


Lamna Healthcare Company - Azure Actve D 


© | A Bute invite users - Microsoft Azo x | 
€ 


portalazure.com/#blade 


Home Lamna Healthc ompany 


+ New user 


Search users 


6 users found 


Name 


go Eo Abercrombi 


Darrow, Alex 


Dunker, Andrea 


U, Yale 


Tucker, Michael 


Waxman, Peter 


+ New guest user 


DunkerAndrea@lamnah... 
LAMMA HTALTHCART COMPANY. 


Bulk invite users x 
J Bulk operations ~ C) Refi 1, Download csv template (optional) 
A7 Add filters 

2. Edit your csv file 

User principal n... ? User type 
principe yp 3. Upload your csv file 

DarrowAlex@lamna... Member LERE I E NI 
OunkerAndreaGlam... Member 
YaleLi@lamnahealth... Member 
TuckerMichael@lam. Member 


WaxmanPeter_north. 


FIGURE 1-41 All users page, Bulk invite users dialog. 


Download the csv file template. 


Edit the csv file: 


m Provide the email addresses of invitees (guests). 


Guest 


m Provide the redirection URL. The template provides the URL https://myapplications. 


microsoft.com. You can keep this one, and the guests’ invite redemption experience will 


be like the one described earlier in this section. But in many cases, in a bulk invite sce- 


nario, you may want to redirect guests to some application after they accept the invite. 


= Specify whether you want to send guests invites. The template includes a TRUE flag. 
You can keep this one, and the guests’ invite redemption experience will be like the 
one described earlier in this section. Optionally, you can provide end users a re- 


demption URL through other means: publish it on a custom portal, include it as part 


of custom email communication you have to them, and so on. 


m Provide a customized invitation message. 


Upload the csv file back to the Azure portal. You will see a File uploaded successfully 
message if there are no issues found with the file format. 
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6. Select Submit. 


7. After processing is completed, select the File is ready! Click here to download link, as 
shown in Figure 1-42. 


1 |) A Buk invite users - Microsoft Azo x | 


€ G C) _https://portalazure.com/#blade/Micro 


i 1 B @ & @ a DunkeAndeðlamnah. @ 
Microsoft Azure A Search resources, services, and docs (G+/) a g h, 3 ORA § E in we 


Home > Lamna Healthcare Company Bulk invite users 
@ Users | All users 


Lamina Healthcare Company - Azure Acbve Directory 


[O Bulk operations w C) Refi 1. Download csv template (optional) 


All users Download 
O Search users t7 Add filters 


+ Newuser > New quest user 


Deleted users 
6 users found 2. Edit your csv file 

Password reset 
Name + User principaln...ty User type 
principe yp 3. Upload your csv file 
Æ ser settings 


o a Abercrombie.. Abercrombiekim_ wo.. Member 
X Diagnose and solve problems 
] Darrow, Alex  Darrowalex@lamna.. Member ile uploaded successfully 
Activity 
] Dunker, Andrea OunkerAndrea@lam... Member Succeeded 
Ð sign-in logs — 
. z LJ Cw) U, Yale YaleLi@lamnahealth... Member File is ready! Click here to download 
Audit logs 
oD m Tucker, Michael TuckerMichael@lam... Member 
A Bulk operation results z ex - @ ick here to view the status of each 
] Waxman, Peter WaxmanPeter_north.. Guest zod 


Troubleshooting + Support 


B New support request eam more about bulk invite quest users 


- i 


FIGURE 1-42 All users page, Bulk invite users dialog, after the CSV file has been uploaded 
and processed. 


8. Download the CSV file from the portal: it will be mostly the same file you previously 
uploaded. A key difference is that it will now have a Status column where you can see 
whether the invite was sent successfully. 


NEED MORE REVIEW? AUTOMATING AZURE AD B2B GUESTS INVITE 

In the preceding example, we invited guests individually and in bulk with the Azure portal. 
Learn more about inviting guest users with PowerShell individually at: 
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b- 
quickstart-invite-powershell 

Learn more about inviting guest users with PowerShell in bulk at: 
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/ 
bulk-invite-powershell 

Learn more about inviting guest users with Graph API at: 
https://docs.microsoft.com/en-us/graph/api/resources/invitation?view=graph-rest-1.0 
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Manage external user accounts in Azure AD 


In most scenarios, guest accounts in Azure AD can be used equivalently to member user 
accounts. You can assign applications to them, assign them Azure AD roles, assign permissions 
in various applications, include them in groups, etc. The guest account can be targeted in 
policies such as Conditional Access policies, and the guest account can be assigned a license in 
the resource tenant—all using the same mechanisms that member accounts are managed with. 


A few principles are still unique to guest accounts and will be covered in this section. 


If a guest user has not yet redeemed their invitation, in some cases you may need to resend 
the invitation email—for example, if the user mistakenly removed the original invite email. 


To resend an invitation email: 
1. Open Azure portal > Azure Active Directory > Users. 
2. Open the properties of the guest account you need to resend the invitation email to. 


3. Inthe Identity section, note that Invitation accepted is set to No. Select (manage). 
See Figure 1-43. 


© | A lyonRobert - Microsoft Azure x | = Oo x 
< > th an 


G ttps://portal.azure.com/#blade/M UserDetailsMenuBlade/Prot. A D w. P (Guest 2) -: 


s i ç = DunkerAndrea@lamnah... @ 
Microsoft Azure A Search resources, services, and docs (G+/) D È FERAT R TTET 


Home > Lamna Healthc Users 


@ LyonRobert | Profile x 
— User 


£ Reset password te ©) Refresh BY Got feedback? 
A Diagnose and solve problems n à 
User Sign-ns Group memberships 


Manage 


& Profile 


b 


Assigned roles 


Administrative units Creation time 
1/13/2022, 1:19:06 AM 


Groups 


Epp 


Applications 


ticenses 


E. 


Last name 


Devices 


Azure role assignments 


User type 
Robert_northwingelectniccars.onm... Guest 


© Authentication methods 


Activity 


f3-1314-4493-20dd-f. D 
> Sign-in logs a a 


v View more 


W Audit logs 


tae ee 
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FIGURE 1-43 Profile of a guest user that hasn't yet redeemed their invite. 
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4. Set Resend invite? To Yes. See Figure 1-44. 


A - O X 
€ G )  https://portalazure.com/#blade/Microsoft AAD IAM/UserDetailsMenuBlade/Prot.. A e % S (Guest DL- 
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h? Reset pass Email invitations 


A Diagnose and solve problems 

Š Resend invite? O vs © No 
Manage 
® Profile Redemption status 


Reset invitation status? (Preview) 


Assigned roles 


b 


B administrative units Creation time 
1/13/2022, 1:19:06 AM 
28 Groups 
Hi Applications 
Identity 
i Licenses 
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SS Devices lyonRobert 


Azure role assignments 


© Authentication methods yonRobert_northwindeled 


Activity 10 d 

b4sgasf3-1314-4493-30¢ 
D sign-in logs E 
W Audit logs v View more 


tat imin 
4 


FIGURE 1-44 Profile of a guest user that hasn't yet redeemed their invite, Manage invitations tab. 


5. Inthe Are you sure you want to resend an invitation? dialog, select Yes. 
6. Select Done. 


As discussed earlier, Azure AD B2B allows users with a variety of credentials (Azure AD ac- 
counts, Microsoft accounts, Google accounts, accounts from federated SAML/WS-Fed identity 
provider) to get Single Sign-On to a resource tenant. There still may be a situation when an 
invited guest has an email address that doesn’t correspond to any of the account types above. 
In that case, depending on the resource tenant configuration, the guest can sign in with a one- 
time passcode delivered over email or be prompted to create a Microsoft account or Azure AD 
self-service account. We recommend the email one-time passcode option in these business 
scenarios; this will help you validate that the user has continuous access to the email address 
they were invited from before they access the resource tenant. With the Microsoft account/ 
Azure AD self-service account option, the guest will create a password of their choice, and you 
may not be notified if they leave their organization, so there will be no technical way to ensure 
that user still works for their employer at a later time. 


To enable an email one-time passcode: 


1. Open Azure portal > Azure Active Directory > External identities > All identity 
providers. See Figure 1-45. 
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FIGURE 1-45 All identity providers page. 


2. Select Email one-time passcode. See Figure 1-46. 
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FIGURE 1-46 Configure identity provider—Email one-time passcode for guests. 
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3. Select Enable email one-time passcode for guests effective now. 


4. Select Save. 


Configure identity providers, including SAML and WS-Fed 


With Azure AD B2B, you can configure federation with social providers (Google, Facebook) or 
SAML/WS-Fed identity providers. 


Google federation with Azure AD External identities allows Gmail users to get Single 
Sign-On to a resource tenant they are invited to. Read more about Google federation at 
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/google-federation. 
Google federation isn't applicable to Google Workspace domains—for Google Workspace 
domains, see the SAML/WS-Fed section below. 

Facebook federation shares the same idea as Google federation: it allows Facebook users 
to sign in as Azure AD B2B guests to your tenant. Follow the article for details, here: https:// 
docs.microsoft.com/en-us/azure/active-directory/external-identities/facebook-federation. 

SAML/WS-Fed identity provider federation (previously known as Direct federation) 
is a Public Preview feature at the time of writing. This option is used when a resource tenant 
administrator needs to provide the Single Sign-On experience to guests from a domain that is 
not Azure AD verified. 

To set up SAML/WS-Fed identity provider federation: 

1. Determine if the guest company DNS administrator will need to update their DNS settings: 


m DNS changes are needed if the target domain does not match the identity provider's 
passive domain URL. 

m DNS changes are not needed if the target domain matches the identity provider's 
passive domain URL. 

For example, when setting up federation with fabrikam.com: 

m Ifthe identity provider's authentication URL is https://fabrikam.com or https://sts. 
fabrikam.com/adfs, no DNS changes are necessary. 

m Ifthe identity provider's authentication URL is https://fabrikamhq.com or https:/ts. 
fabrikamhq.com/adfs, DNS changes are necessary to confirm that the company that 
owns the fabrikam.com domain name uses the identity provider with the authentica- 
tion URL in the fabrikamhq.com domain. 


The following Identity Provider (IdP) domain names do not require DNS changes: 


m accounts.google.com m my.salesforce.com 

m pingidentity.com m federation.exostar.com 

m /login.pingone.com m federation.exostartest.com 
m okta.com = idaptive.app 

m oktapreview.com m idaptive.qa 


m okta-emea.com 
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2. 


If DNS changes are necessary, add a DNS record: 

<domainname> IN TXT DirectFedAuthUrl=</dP authentication URL> 
Taking the example from the previous step, a DNS record may look like this: 
fabrikam.com IN TXT DirectFedAuthUrl=https://sts.fabrikamhq.com/adfs 


If you choose to federate with SAML, ensure that the IdP includes the following attri- 
butes (as shown in Table 1-1 and Table 1-2) in the SAML 2.0 response: 


TABLE 1-1 Required attributes for the SAML 2.0 response from the IdP 


Attribute value 


AssertionConsumerService | https://login.microsoftonline.com/login.srf 
Audience urn:federation:MicrosoftOnline 


Issuer Issuer URI of the IdP 


TABLE 1-2 Required claims for the SAML 2.0 token issued by the IdP 


Attribute value 
NamelD Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 
Emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 


If you choose to federate with WS-Fed, ensure that the IdP includes the following at- 
tributes (as shown in Table 1-3 and Table 1-4) in the WS-Fed message: 


TABLE 1-3 Required attributes in the WS-Fed message from the IdP 


Attribute value 


PassiveRequestorEndpoint | https://login.microsoftonline.com/login.srf 
Audience urn:federation:MicrosoftOnline 


Issuer Issuer URI of the IdP 


TABLE 1-4 Required claims for WS-Fed token issued by the IdP 


Attribute value 
ImmutablelD http://schemas.microsoft.com/LivelD/Federation/2008/05/ImmutableID 
Emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 
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5. Goto Azure portal > Azure Active Directory > External Identities > All identity 
providers. 


6. Select + new SAML/WS-Fed IdP. 

7. Under Identity provider protocol, select SAML or WS-Fed. 

8. Provide Domain name of federating IdP. 

9. Upload a metadata file or provide the following information manually: 
m Issuer URI 
m Passive authentication endpoint 
= Certificate 


m Metadata URL (Optional. We recommend allowing Azure AD to renew the signing 
certificate automatically when it expires). 


10. Select Save. 


NEED MORE REVIEW? SAML/WS-FED IDENTITY PROVIDER INTEGRATION 

Learn more about configuring ADFS as SAML/WS-Fed identity provider at: 
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/ 
direct-federation-adfs 

In the preceding example, we covered configuring the SAML/WS-Fed identity provider 
federation using the Azure portal. 

Learn more about configuring the SAML/WS-Fed identity provider using PowerShell at: 


https://docs.microsoft.com/en-us/azure/active-directory/external-identities/ 
direct-federation 


Skill 1.4: Implement and manage hybrid identity 


Many organizations have on-premises environments that include on-premises Active Direc- 
tory Domain Services. In this section, we cover tools that synchronize on-premises identities 

to Azure AD: Azure AD Connect and Azure AD Connect Cloud Sync. We cover authentication 
methods that are applicable to on-premises users: Password Hash Synchronization, Pass- 
Through Authentication, and Federation. We discuss the configuration of Azure AD Connect 
with each of these methods. We also discuss Azure AD Connect Health—a tool that can be 
used to monitor the health of on-premises components of your environment such as Azure AD 
Connect synchronization engine, Active Directory Domain Services (AD DS), and Active Direc- 
tory Federation Services (AD FS). 
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This skill covers how to: 

m Implement and manage Azure Active Directory Connect 

m Implement and manage Azure AD Connect cloud sync 

= Implement and manage Password Hash Synchronization (PHS) 

= Implement and manage Pass-Through Authentication (PTA) 

m Implement and manage Seamless Single Sign-On (Seamless SSO) 

= Implement and manage Federation, excluding manual ADFS deployment 
= Implement and manage Azure AD Connect Health 


m Troubleshoot synchronization errors 


Implement and manage Azure Active Directory Connect 


Many enterprises have existing on-premises infrastructures before they start their cloud jour- 
ney. On-premises infrastructure often has identity providers including Active Directory Domain 
Services. Microsoft offers a set of hybrid capabilities that allows customers to use on-premises 
identities in the cloud. Two products currently offered are Azure AD Connect and Azure AD 
Connect cloud sync. 


Azure AD Connect is an on-premises application that provides the following capabilities: 


m Synchronization—based on on-premises users, groups, and devices information, this 
creates users, groups, and devices in Azure AD. For certain scenarios, writeback synchro- 
nization (creating/updating on-premises objects based on Azure AD object informa- 
tion) is also supported. 


m Authentication—Azure AD Connect configures authentication of on-premises users us- 
ing one of the following options: 


m Password Hash Synchronization 
m Pass-Through Authentication 
m Federation 
m Health monitoring—Azure AD Connect Health provides monitoring for: 
m Azure AD Connect synchronization 
= Active Directory Domain Services 
= Active Directory Federation Services 


Think about Azure AD Connect as a wizard that configures all the things mentioned above: 
Synchronization engine, Federation settings, Active Directory Domain Services monitoring, etc. 
And most of them are separate pieces of software—different agents, synchronization engines, 
and so on. 


The Synchronization engine (also known as Azure AD Connect Sync) is a central part of Azure 
AD Connect. Authentication-related components may or may not be implemented, but the 
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Synchronization engine is always deployed in any Azure AD Connect installation. In this part, we 
will focus on basic Azure AD Connect implementation and the Synchronization engine. 


The Azure AD Connect Synchronization engine can be used for synchronization between 
on-premises Active Directory Domain Services or LDAP directory on one side and Azure AD 
on another side. But for the purposes of this book, we will focus on synchronization between 
Active Directory and Azure AD. 


Single tenant topologies: 


The simplest Azure AD Connect topology consists of one on-premises Active Directory Domain 
Services forest, one Azure AD tenant and one Azure AD Connect that synchronize information 
between them See Figure 1-47. 


/A\—([J-—-@ 


| 
| 
Active Directory forest Azure AD Connect | Azure AD tenant 
Synchronization Service 
| 
On-premises infrastructure i Cloud 


FIGURE 1-47 Azure AD Connect topology for one Active Directory forest 
and one Azure AD tenant. 


Another possible situation is when you have multiple on-premises Active Directory Domain 
Services forests and need to synchronize information from each of them to a single Azure AD 


tenant. This is possible with one Azure AD Connect instance that should have network connec- 
tivity to domain controllers of all involved Active Directory domains. See Figure 1-48. 
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FIGURE1-48 Azure AD Connect topology for multiple Active Directory forests 
and one Azure AD tenant. 
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Multiple tenant topologies: 


In the common multi-tenant topology, one on-premises object (user, group, device) is synchro- 


nized to only one Azure AD tenant. This can be implemented using filtering mechanisms—for 
example, one organizational unit can be synchronized to one Azure AD tenant, and another 
organizational unit can be synchronized to another Azure AD tenant. See Figure 1-49. Filter- 
ing based on groups or custom rules will achieve the same result if one on-premises object is 
synchronized to only one Azure AD tenant. 


Azure AD Connect Azure AD 
Synchronization Service 1 tenant 1 


<~—__|_» 
| Yt 
| 
Azure AD Connect | Azure AD 
Synchronization Service 2 | tenant 2 
| 
Active Directory forest CE oo 
| 
| I 
Azure AD Connect l Azure AD 
Synchronization Service 3 | tenant 3 
| 
On-premises infrastructure Cloud 


FIGURE1-49 Azure AD Connect topology for one forest and multiple 
Azure AD tenants, where each object is synchronized to one tenant only. 


In some situations, one on-premises object (user, device, group) needs to be synchronized 
to multiple Azure AD tenants. This topology is in Public Preview at the time of writing. In this 
configuration, synchronization from an on-premises environment can be configured to mul- 
tiple Azure AD tenants, but only one Azure AD tenant can be configured to write back to the 
on-premises environment for the same object. See Figure 1-50. 


Skill 1.4: Implement and manage hybrid identity CHAPTER 1 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


59 


60 


Q 


F 


Azure AD Connect 
Synchronization Service 1 


Azure AD 
tenant 1 


l 
l 
l 
l 
l 
l 
| 
| 
| 


—_ ——_}—_—_» a 
Azure AD Connect Azure AD 
Synchronization Service 2 tenant 2 


Active Directory forest i E 
— a 


F 


Azure AD Connect Azure AD 
Synchronization Service 3 tenant 3 
On-premises infrastructure Cloud 


FIGURE 1-50 Azure AD Connect topology for one forest and multiple 
Azure AD tenants, where an object is synchronized to multiple tenants. 


EXAM TIP 


Note that in Figures 1-47 through 1-50 there is one Azure AD Connect Synchronization 
Service per Azure AD tenant. At no point in time can one Azure AD tenant have multiple 
active servers—i.e., Azure AD Connect Synchronization Service instances synchronizing to 
it. Having said that, it is possible to have one active Azure AD Connect server and one (or, 
potentially, more than one) staging Azure AD Connect server. A staging server reads data 
from connected directories to have up-to-date copy of the data but doesn’t write to any 
directories. A staging server can be used to test a new configuration. An administrator can 
make a staging server active if the current active server becomes unavailable. 


NEED MORE REVIEW? TOPOLOGIES FOR AZURE AD CONNECT 


Read more about supported and unsupported topologies for Azure AD Connect at: 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies 


NOTE AZURE AD CONNECT PREREQUISITES 


To deploy Azure AD Connect, you need a domain-joined server with Windows Server 2016 
or later and with full GUI (not Server Core). 


Read the full list of Azure AD Connect prerequisites here: https://docs.microsoft.com/en-us/ 
azure/active-directory/hybrid/how-to-connect-install-prerequisites 
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Choosing the right authentication method in a hybrid environment: 


A key decision that must be made is the authentication method for user accounts that will be 
synchronized from an on-premises environment. Three options to choose from are: 


m Password Hash Synchronization (PHS) 

m Pass-Through Authentication (PTA) 

= Federation 

Each of these methods will be covered in detail in later sections. 


We recommend using the Password Hash Synchronization authentication method unless 
you need to enforce user-level Active Directory security policies during sign-in or have a sign- 
in requirement not supported natively by Azure AD—such as Certificate-Based Authentication. 


NEED MORE REVIEW? AUTHENTICATION METHODS FOR HYBRID ENVIRONMENT 


Read more about choosing the right authentication method at: 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn 


If PTA or Federation are chosen as the authentication method, we still recommend enabling 
Password Hash Synchronization in addition. That will allow you to switch to cloud authentica- 
tion if something goes wrong with the on-premises Active Directory Domain Services envi- 
ronment or the federated identity provider and also will allow leaked credentials detection 
through Azure AD Identity Protection. 


Prior to Azure AD Connect installation, it is recommended to use the IdFix tool to identify 
any potential issues with source data in on-premises Active Directory—such as duplicates or 
unsupported characters in attribute values. Follow the next steps to identify and resolve issues: 


1. Download the IdFix tool from https:/github.com/Microsoft/idfix. 

2. Install the IdFix tool by launching an installation file and selecting Install. 
3. Review the privacy statement. 

4. Select Query to analyze Active Directory Domain Services domain data. 
5. Ifyou get a Schema Warning message, review it and select Yes. 


6. Review identified issues as shown in Figure 1-51. An empty list indicates that there were 
no issues identified. 


eee IdFix version 2.5.0.0 = oa x 


Accept Apply Export import Undo 


DIS TINGUISHEDNAME OBJECTCLASS ATTRIBUTE ERROR VALUE UPOATE ACTION 
CNeLisa Mier OU-User.OU+HQ OU-Co... user mal Duplicate mlerfliamahesthcae . miler@amnaheathcare. {v 
CNeMke Mäer Olulisem OUHQOUC user mad Duphcate miker@lemnaheathcare —miler@tamnsheatheare 


FIGURE 1-51 IdFix tool execution result. 
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7. 


Solve identified issues manually outside of the IdFix tool or select an applicable action in 
the right column and select Accept. 


Azure AD Connect can be installed in one of two modes: Express settings or Custom 
settings. Choose Express settings if all of the following are true: 


You need to synchronize identities from one on-premises Active Directory Domain 
Services forest. 


Azure AD Connect server is a member of the same forest you will synchronize to Azure AD. 
Your authentication method of choice is Password Hash Synchronization. 
You are fine with synchronization of all attributes (eligible for synchronization) to Azure AD. 


You don't need to configure custom groups to manage Azure AD Connect Synchroniza- 
tion Engine. 


To install Azure AD Connect: 


1. 
2. 
3. 


Download Azure AD Connect from https://go.microsoft.com/fwlink/?Linkld=615771. 
Run the installation file. 


On the Welcome to Azure AD Connect screen, review the license terms and privacy 
notice and select Continue. 


On the Express Settings page, select Customize or Use express settings. See Figure 1-52. 


s% Microsoft Azure Active Directory Connect 


Welcome Express Settings 


If you have a single Windows Server Active Directory forest, we will do the following: 


e Configure synchronization of identities in the current AD forest of LAMNAHEALTHCARE 


Configure password hash synchronization from on-premises AD to Azure AD 


Start an initial synchronization 


Synchronize all attnbutes 


Enable Auto Upgrade 


Learn more about express settings 


Select Customize to choose advanced deployment options or import settings from an existing server 


Customize Use express scttings 


FIGURE 1-52 Azure AD Connect, Express Settings page. 
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For the rest of this exercise, we will assume that the Use express settings option 

was selected. 

On the Connect to Azure AD page (shown in Figure 1-53), provide the credentials for 
the Azure AD Global Administrator or Hybrid Identity Administrator. You may also be 
asked to provide a second factor of authentication, depending on tenant settings. 


NOTE CREDENTIALS SUPPLIED TO AZURE AD CONNECT WIZARD 


These credentials will be used for configuration and creating another user account for 
synchronization purposes (service account). There is no need to manually create a ser- 
vice account in Azure AD. It is safe to disable the Global Administrator or Hybrid Identity 
Administrator account at a later point—for example, if the administrator that made the 


Azure AD Connect configuration has left the company. 


4% Microsoft Azure Active Directory Connect 


Connect to Azure AD 


Enter your Azure AD global administrator or hybrid identity administrator credentials. 6 


Express Settings 
Connect to Azure AD 
Connect to AD DS 


USERNAME 


z username@comose 
Configure 


PASSWORD 


Previous Next 


FIGURE 1-53 Azure AD Connect, Connect to Azure AD page. 
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On the Connect to AD DS page (shown in Figure 1-54), provide the enterprise administra- 
tor credentials for the Active Directory forest. Similar to the previous step, the enterprise 
administrator's credentials will be used to create the service account. There is no need to 
manually create a service account in Active Directory. It is safe to disable the enterprise 
administrator account used during installation at a later point—for example, if the admin- 
istrator that made the Azure AD Connect configuration has left the company. 


$ Microsoft Azure Active Directory Connect 


Connect to AD DS 


Fxpress Settings 
Enter the Active Directory Domain Services enterprise administrator credentials: a 
Connect to Azure AD 


Connect to AD DS USERNAME 


INTOSO.COM|username 
Configure 


PASSWORD 


Previous 


FIGURE 1-54 Azure AD Connect, Connect to AD DS page. 


On the Azure AD sign-in configuration page, review the list of UPN suffixes config- 
ured in the Active Directory forest. 


In the earlier section “Configure and manage custom domains,” we discussed User 
Principal Names (UPNs) of Azure AD users. Like Azure AD users, on-premises Active Di- 
rectory Domain Services users also have UPNs. For the best user experience, it is recom- 
mended that UPNs in on-premises and Azure AD environments should match. Review 
the UPN suffixes to ensure that UPN suffixes used on-premises are verified in Azure AD. 


On the Ready to configure page, review the settings and proposed changes and select 
Install. See Figure 1-55. 
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4 Microsoft Azure Active Directory Connect 


= Ready to configure 


Express Settings 
Connect to Azure AD 


Once you click Install, we will do the following: 


e Install the synchronization engine 
Connect to AD DS 
© Configure Azure AD Connector 


Azure AD sign-in 


© Configure lamnahealthcare.com Connector 


Configure 


a Enable Password hash synchronization 
e Enable Auto Upgrade 
© Configure synchronization services on this computer 


bv] Start the synchronization process when configuration completes. 


Previous Install | 


FIGURE1-55 Azure AD Connect, Ready to configure page. 


10. On the Configuration complete page, review the configuration summary and recom- 
mendations. Select Exit. See Figure 1-56. 


$ Microsoft Azure Active Directory Connect 


Configuration complete 


Azure AD Connect configuration succeeded. The synchronization process has been initiated. 


Express Settings 


Connect to Azure AD 
Connect to AD DS | ) The configuration is complete. You can now log in to the Azure or Office 365 portal to verify 
| that user accounts from your local directory have been created. Then, do a test sign on to the 


Azure AD sign-in Azure portal. Learn more about the next steps and managing Azure AD Connect 


Configure 


The Active Directory Recycle Bin is not enabled for your forest (lamnahealthcare.com) and is 
| strongly recommended. Learn more about enabling the Active Directory Recycle Bin 


Azure Active Directory is configured to use AD attribute mS-DS-ConsistencyGuid as the source 
anchor attribute. Learn more about configuring the source anchor attribute 


FIGURE 1-56 Azure AD Connect, Configuration complete page. 
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11. After configuration is completed, open the Azure AD Connect wizard (using a desktop 
or start menu shortcut) to perform the following actions: 


m Review privacy settings: enable or disable application telemetry. 
m View or export Azure AD Connect configuration. 
m Customize synchronization options: 
= Configure Exchange Hybrid deployment. 
m Add/remove Active Directory forests for synchronization. 
m Implement domain/OU filtering. 
= Configure Azure AD app and attribute filtering. 
m Enable/disable Password Hash Synchronization. 
m Enable/disable password writeback. 
= Enable/disable group writeback. 
m Configure device writeback. 
= Configure directory extension attribute sync. 
= Configure Hybrid Azure AD Join. 
m Refresh schema to enable synchronization of new attributes. 
m Enable/disable staging mode. 
m= Change user sign-in options. 
m= Manage federation settings. 


m Launch AADConnect Troubleshooting tool (PowerShell-based). 


EXAM TIP 

The default synchronization cycle for Azure AD Connect server is 30 minutes. The default syn- 
chronization cycle for Azure AD Connect Cloud Sync (covered in the next section) is 2 minutes. 
Read more about Azure AD Connect scheduler configuration at: https://docs.microsoft.com/ 
en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler 


Implement and manage Azure AD Connect cloud sync 


Azure AD Connect cloud sync is a new synchronization service for hybrid environments. It can 
be used by itself or with Azure AD Connect. Similar to Azure AD Connect, it provides synchro- 
nization between on-premises Active Directory and Azure AD. A key difference compared to 
Azure AD Connect is that Azure AD Connect runs its synchronization engine on an on-prem- 
ises server, while Azure AD Connect cloud sync utilizes lightweight agents on-premises and a 
synchronization engine in the cloud. 
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Azure AD Connect cloud sync provides the following benefits, compared to Azure AD Connect: 


Simplified installation with lightweight provisioning agents. 


Synchronization from a multi-forest disconnected Active Directory environment. As 
discussed earlier, to synchronize from multiple forests with Azure AD Connect, you must 
establish network connectivity between Azure AD Connect and each involved domain. 
With Azure AD Connect cloud sync, you can deploy multiple provisioning agents—each 
in its own forest—without direct network connectivity between them. 


Multiple provisioning agents can be used to simplify high-availability deployments. 


At the same time, Azure AD Connect cloud sync lacks the following functionality available in 
Azure AD Connect at the time of writing: 


Synchronization from LDAP directories 

Synchronization of device objects (required for Hybrid Azure AD Join) 
Synchronization of directory extension attributes 

Pass-Through Authentication support 

Filtering based on attribute values 

Advanced customization of attribute flows 

Device writeback 

Group writeback 

Azure AD Domain Services support 

Exchange Hybrid writeback 


Cross-domain references 


Also, Azure AD Connect currently supports groups with up to 250K members, while Azure 
AD Connect cloud sync supports groups with up to 50K members only. 


Azure AD Connect and Azure AD Connect cloud sync may coexist for the same tenant. This 
is typically used in Merges & Acquisitions scenarios: a company may have Azure AD Connect 
deployed for the main forest, and the forest of the acquired company may be synchronized 
with Azure AD Connect cloud sync agents. This may be done without establishing network 
connectivity between forests, which may be a challenging task if IP addresses overlap. 


To deploy Azure AD Connect cloud sync: 


1. 
2. 


Prepare the domain-joined server, Windows Server 2016 or later. 


Select Azure portal > Azure AD Connect > Manage Azure AD cloud sync > Review 
all agents. See Figure 1-57. 
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BE A On-premises provisioning agent x BE -aR 


€ G È https://portalazure.com/#biade/Microsoft_ AAD_Connect_Provisioning/ProvisioningManageme s & & Ş 


A Search resources, services, and docs (G+/) [0] Oo & A DunkerAndrea@lamnah.. @ 
LAMNA HEALTHCARE COMPANY P 


Home > Lamna Healthcare Company > Azure AD Co 


On-premises provisioning agents x 
$ Download on-premises agent 


Machine Name External IP status 


NO results 


FIGURE 1-57 Azure portal, On-premises provisioning agents page. 


3. Select Download on-premises agent. 
4. Review the Terms of Service and select Accept terms & download. 
5. Open the installation file. 


6. Review the License terms and Privacy notice, and select I agree to the license terms 
and conditions. 


7. Select Install. 


8. On the Welcome to Azure AD Connect provisioning agent configuration wizard 
page, select Next. See Figure 1-58. 


$ Microsoft Azure Active Directory Connect Provisioning Agent Configuration 


Welcome to Azure AD Connect provisioning 


Connect Azure AD 


contigure sevice Account| agent configuration wizard 


Connect Active Directory 
Azure AD Connect provisioning agent supports the following integration scenanos: 

Azure AD cloud sync to synchronize identities trom your on-premises Active Directory to Azure AD. 
HR driven provisioning to provision identities from cloud HR systems to on premises Active Directory. 
Azure AD to on-premises application provisioning 


Confirm 


FIGURE1-58 Azure AD Connect Provisioning Agent Configuration, Welcome page. 
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9. Sign in with Global Administrator or Hybrid Identity Administrator credentials. 


10. On the Configure Service Account page (shown in Figure 1-59), provide Domain 
Admin credentials and select Next. The credentials will be used to create a group-man- 
aged service account (gMSA) in an on-premises Active Directory. It is safe to change the 
password or disable the Doman Admin account later if necessary—for example, if the 
Domain Admin leaves the organization. 


Pom Microsoft Azure Active Directory Connect Provisioning Agent Configuration 


Woont Configure Service Account 


Connect Azure AD 


Conhiqure Service Account Setup a group managed service account (gMSA) to manage your synchronization from Active Directory 
Connect Active Directory © Create gMSA 
Confirm Use custom gMSA 


Enter your domain admin credentials to setup the gMSA account for your Active Directory. 
DOMAIN ADMIN USERNAME @ 


Password 


ij Learn more about group managed service accounts (gMSA). Learn more. 


Previous 


FIGURE 1-59 Azure AD Connect Provisioning Agent Configuration, Configure Service Account page. 


11. On the Connect Active Directory page (shown in Figure 1-60), you can add additional 
on-premises Active Directory domains to the synchronization. If Azure AD Connect 
cloud sync is being configured on the member server of the same domain that will be 
synchronized, select Next. 
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$ Microsoft Azure Active Directory Connect Provisioning Agent Configuration 


Welcome 

Connect Azure AD 
Configure Service Account 
Connect Active Directory 


Contirm 


Connect Active Directory 


Enter connection information for your on-premises Active Directory domains. 


DOMAIN @ 


lamnaheallhcare.com v Add Directory 


CONFIGURED DOMAINS 


lamnahealthcare.com Change Credentials Remove 


Previous 


FIGURE 1-60 Azure AD Connect Provisioning Agent Configuration, Connect Active Directory page. 


12. Review the proposed changes on the Agent configuration page and select Confirm. 


See Figure 1-61. 


Welcome 
Connect Azure AD 
Configure Service Account 


Connect Active Directory 


$ Microsoft Azure Active Directory Connect Provisioning Agent Configuration 


Agent configuration 


Once you click “Confirm”, the provisioning agent will be configured on this computer using gMSA. Please 
review the agent configuration setting below before you start the configuration. 


Please review the below settings. 
Active Directory Configuration 
lamnahealthcarecom 
Username: lamnahealthcare.com\provAgentgMSA$ 
Azure Active Directory Configuration 
Logged in as: DunkerAndrea@lamnahealthcare.onmicrosoft.com 


Previous 


FIGURE 1-61 Azure AD Connect Provisioning Agent Configuration, Agent configuration page. 
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13. After receiving the Your agent installation and configuration is complete message, 
select Exit. 

14. Open Azure portal > Azure Active Directory > Azure AD Connect > Manage Azure 
AD cloud sync > Review all agents. 


15. Notice that you now have an on-premises agent listed. See Figure 1-62. 


On: premises provisioning agent x 
P 9 99 


€ G Č  https://portalazure.com/#biad 


i i a, DunkerAndrea@lamnah... 
Microsoft Azure A Search resources, services, and docs (G+/) bd D È qopan 


Home Lamna Healthcare Company Azure AD Connect cloud sync 


On-premises provisioning agents 


% Download on-premises agent 


Machine Name External IP status 


cloudsync1.lamnahealthcare.com — © active 


ho 


FIGURE 1-62 On-premises provisioning agents page. 


16. Open Azure portal > Azure Active Directory > Azure AD Connect > Manage Azure 
AD cloud sync. 


17. Select New configuration. 
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18. Ensure that the correct domain is selected and keep Enable password hash sync en- 
abled as desired. Select Create. See Figure 1-63. 


New cloud syne configuration x = 
Y g 
¢ G © https 


Ee © Search resources, services, and docs (G+/) mb ie fol i Gy Fee Bae 
LAMNA HTALTHCART COMPANY, 


Lamna Healthcare Company > Azure AD Connect clo 


Home 


New cloud sync configuration x 


Azure Active Orectory 


s. You will be 
g up the 


leting the setup below with default param: 
tion guide and pported topo ies for 


Create an Azure Active 
able to perform advanced configuration later in the se 
configuration. 


Directory Connect cloud syne configuration by co 


Which Active Directory domain would you like to sync? 


| lamnahealthcare.com 
E Enable password hash sync © 
Next steps: 


After creating your confiquration with default parameters, you will be taken to the configuration details page to manage advanced 
settings 


4 


FIGURE 1-63 New cloud sync configuration page. 


19. On the Edit cloud sync configuration page, adjust the following if necessary: 
m Scope—which users will be synchronized to Azure AD, based on OU or group 
m Attribute mapping 
m Notification email 
= Accidental deletion prevention 
= Accidental deletion threshold 
See Figure 1-64 and Figure 1-65. 
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DA raa yacare xP] 


iS G Č https//portalazure.com/#biade/Microsoft AAD Connect Provisioning/ProvisioningManageme.. 18 2 @ Q -~ 


Microsoft Azure A Search resources, services, and docs (G+/) [ 


Home > Lamna Healthcare Company > Azure AD Connect cloud sync > New cloud sync configuration > 


Edit cloud sync configuration ~ x 


Azure Active Directory 


=| V C) Restart syne {ol Delete 


& DunkerAndrea@lamnah... 
LAMMA WTALTHCART COMPANY 


Configure 
Read the configuration guide for help configuring sync. 
O | somo 
Active Directory domain lamnahealtheare.com 


Scope users All users in scope 


Click to edit scoping filters 


(27 Manage attributes () 
Syne password hashes Ej Enable 


Map attributes Click to edit mappings 


© Validate (recommended) © 


Verify that syne is working as expected before enabling the configuration by testing with individual users. Quickly create, 
update, or disable the user's account in the target app based on your configuration. 


o | AA Edit cloud syne configuration - |. x a = ə x 


€ G © https://portalazure.com/#biade/Microsott AAD Connect Pri 


ret E © Search resources, services, and docs (G+/) [ G a 


Home > Lamna Healthcare Company > Azure AD Connect cloud sync > New cloud sync configuration 


DunkerAndrea@lamnah... 
LAMMA HTALTHCARD COMPANY. 


Edit cloud sync configuration ~ X 
Azure Active Drrectory 
E swe C) Restart sync Delete 


© Validate (recommended) © 


Venty that sync is working as expected before enabling the configuration by testing with individual users, Quickly create, 
update. or disable the user's account in the target app based on your configuration. 


Provision a user 


© Settings © 
al 
Notification email Í 
Prevent accidental deletion iv] 
Accidental delete threshold | S00 
O| oyo 
Enabling this will sync the users and groups that are in scope as identified by this configuration. 
Enable 
uy 


FIGURE 1-65 Edit cloud sync configuration page, part 2. 
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20. Select Enable, Save and Yes. 


21. Open Azure portal > Azure Active Directory > Azure AD Connect > Manage Azure 
AD cloud sync and ensure that the configuration is now listed with the status Healthy. 


22. To edit the settings of the configuration, select a domain name and adjust the settings 
accordingly. 


Implement and manage Password Hash Synchronization (PHS) 
Password Hash Synchronization serves two goals: 


m PHS is one of the three main authentication mechanisms in hybrid environments and 
allows users to sign in to Azure AD with the same password they use in on-premises Ac- 
tive Directory Domain Services. See Figure 1-66. 


m PHS allows Azure AD Identity Protection to check for leaked credentials and protect 
user accounts. 


Even if your chosen authentication mechanism is Pass-Through Authentication (PTA) or 
Federation, we still recommend enabling Password Hash Synchronization for the purposes of 
detecting leaked credentials. 


Authentication | ONS 
| 
| 
| 

<— Synchronization — + Synchronization > 


Active Directory domain Azure AD Connect Azure AD tenant 
Synchronization Service 


PHS enabled 


On-premises infrastructure Cloud 


FIGURE 1-66 Password Hash Synchronization (PHS). 


We recommend using Password Hash Synchronization as your authentication mechanism 
because it provides the following benefits: 
= Business continuity. Authentication to Azure AD doesn’t depend on the availability of an 


on-premises environment over the internet or on-premises components. 


m Simple deployment. Implementation doesn’t require any agents or federated identity 
providers to be deployed on-premises, which makes PHS the easiest authentication 
mechanism to implement. 
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At the same time, Password Hash Synchronization comes with the following limitations: 


m Since on-premises Active Directory doesn't participate in the authentication process, 
recent changes to the account (such as the account being recently disabled) must be 
synchronized from the on-premises environment to Azure AD to take effect. This usu- 
ally takes up to 30 minutes for Azure AD Connect and up to 2 minutes for Azure AD 
Connect cloud sync. 


m Information about a password being expired or account being locked out in an on- 
premises Active Directory is not synchronized to Azure AD. Therefore, it will not be 
considered during the Azure AD sign-in. 


m Information about logon hours configured in an on-premises Active Directory is not syn- 
chronized to Azure AD. Therefore, it will not be considered during the Azure AD sign-in. 


m Sign-in features not natively supported by Azure AD, such as smartcards or certificates, 
can't be used. 


NEED MORE REVIEW? PASSWORD HASH SYNCHRONIZATION 


Read more about how password hash synchronization works from an encryption stand- 
point and how it coexists with password policies at: https://docs.microsoft.com/en-us/ 
azure/active-directory/hybrid/how-to-connect-password-hash-synchronization 


To enable Password Hash Synchronization in an existing Azure AD Connect installation: 
1. Open the Azure AD Connect wizard using the desktop or Start menu shortcut. 


2. On the Welcome to Azure AD Connect page, select Configure. See Figure 1-67. 


> Microsoft Azure Active Directory Connect 


ase Welcome to Azure AD Connect 


The synchronization service scheduler is suspended until this setup wizard is 
closed. Learn more about “Scheduler and installation wizard" 


Configure 


FIGURE 1-67 Welcome to Azure AD Connect page. 
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3. On the Additional tasks page, select Customize synchronization options. 
See Figure 1-68. 


$% Microsoft Azure Active Directory Connect 


Additional tasks 


The required tasks for the scenario have been completed. Choose from the list below to perform 
additional tasks. 


Privacy settings 

View or export current configuration 
Customize synchronization options 
Contigure device options e 
Refresh directory schema 

Configure staging mode 

Change user sign-in 

Manage federation @ 


Troubleshoot 


FIGURE 1-68 Additional tasks page. 


4. On Connect to Azure AD page, provide the credentials of the Global Administrator or 
Hybrid Identity Administrator. 


5. Onthe Connect your directories page, review the list of on-premises Active Directory 
domains that password hash synchronization will occur on and then select Next. 


6. Onthe Domain and OU filtering page, review the OUs that will participate in synchro- 
nization and select Next. 


7. On the Optional features page, select the Password hash synchronization checkbox 
and select Next. See Figure 1-69. 
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4 Microsoft Azure Active Directory Connect 


Optional features 


Tasks 
Select enhanced functionality if required by your organization. 
Connect to Azure AD 


Syrx Exchange hybrid deployment @ 


Connect Directories Exchange Mail Public Folders @ 


Domain/OU Filtering Azure AD app and attribute tiitenng @ 


Optional Features [Vi Password hash synchronization @ 

Configure 
3 Password writeback @ 

Group writeback 4 


Device writeback @ 


Directory extension attribute sync (?] 


Learn more about optional features. 


Previous 


FIGURE 1-69 Optional features page. 


8. On the Ready to configure page, select Configure. 
9. On the Configuration complete page, select Exit. 


To enable Password Hash Synchronization in an existing Azure AD Connect cloud 
sync installation: 


1. Open Azure portal > Azure Active Directory > Azure AD Connect > Manage 
Azure AD cloud sync. 


2. Select the configuration (the domain that is being synchronized). 
3. Under 2, Manage attributes, select Sync password hashes, Enable. 


4. Select Save. 


Implement and manage Pass-Through Authentication (PTA) 


Pass-Through Authentication (PTA) is one of the three authentication mechanisms available in 
the hybrid deployment of Azure AD (the other two mechanisms are Password Hash Synchroni- 
zation and Federation, covered in other sections). 


When PTA is deployed, the user provides a password on the Azure AD login page, and 
Azure AD validates the password with on-premises Active Directory with the help of the PTA 
agent deployed on-premises. See Figure 1-70. 
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User 


æ- Synchronization —== —— Synchronization» 


Synchronization Service 


Pass-through 
authêntication 


Pass-through 


| 
| 
Active Directory domain Azure AD Connect | Azure AD tenant 
| 
| Prt 
| authentication 


| 
| 
PTA agent | 
| 
| 


On-premises infrastructure Cloud 


FIGURE 1-70 Pass-Through Authentication (PTA). 


A PTA agent can be enabled as part of the Azure AD Connect installation, on the same 
machine. In a production environment, for availability reasons, we recommend additionally 
installing two standalone PTA agents. 


There is no need to publish any ports to the internet for the PTA agent to work. When the PTA 
agent service starts, it establishes a TCP session to Azure AD, which is an outbound connection. 
Previously established TCP session(s) will be used for pass-through authentication requests. 

Pass-Through Authentication provides following benefits: 

m Simple deployment. Implementation doesn’t require complex network configuration, 
certificate management, or manually configured federation. 

m High availability. It is possible to deploy multiple PTA agents on-premises. 

m Nosynchronization-driven latency for existing accounts. Because each authentication 
request is validated with on-premises domain controllers, password changes or account 


status changes (enabled/disabled) are honored immediately. There is no need to wait 
for synchronization with Azure AD Connect. 


m Security. On-premises policies such as logon hours configured in on-premises Active 
Directory are honored. 
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At the same time, Pass-Through Authentication comes with the following limitations: 


m Sign-in features not natively supported by Azure AD, such as smartcards or certificates, 
can't be used. 


m Sign-in to Azure AD Joined devices with expired passwords is not supported. If an on- 
premises password has expired, the user will need to sign in through a browser, get a 
password update, and then sign in to the Azure AD Joined device. 


Pass-Through Authentication is only supported for Azure AD Connect installations (addi- 
tional standalone agents may be installed as well, as discussed earlier) and isn't supported for 
Azure AD Connect cloud sync installations. 


You can select the Pass-Through Authentication option during Azure AD Connect installa- 
tion or enable it in an existing Azure AD Connect deployment. 


To enable Pass-Through Authentication in an existing Azure AD Connect installation: 
1. Open the Azure AD Connect wizard using the desktop or Start menu shortcut. 
2. Onthe Welcome to Azure AD Connect page, select Configure. 

3. On the Additional tasks page, select Change user sign-in. 


4. On the Connect to Azure AD page, provide credentials of the Global Administrator or 
Hybrid Identity Administrator. 

5. Onthe User sign-in page, select Pass-through authentication. Keep Enable single 
sign-on selected for Seamless SSO (covered in the following section). Select Next. See 
Figure 1-71. 


> Microsoft Azure Active Directory Connect 


es i 
User sign-in 
Select the Sign On method. e 


Password Hash Synchronization @ 
Pass-through authentication @ 
Federation with AD FS (7) 


Federation with PingFederate @ 
Do not configure @ 
Select this option to enable single sign-on for your corporate desktop users. 


M1 Enable single sign-on @ 


We recommend DunkerAndrea@lamnahealthcare.onmicrosoft.com to be a cloud only Global 
Administrator account so that this account is able to manage pass-through authentication in 
the event of an on-premises failure. Learn more 


FIGURE 1-71 User sign-in page. 
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On the Enable single sign-on page, provide the credentials for the Domain Administra- 
tor account to enable Seamless SSO (covered in the following section) and select Next. 


On the Ready to configure page, review the proposed changes and select Configure. 
See Figure 1-72. 


@ Microsoft Azure Active Directory Connect 


Ready to configure 


Once you click Configure. we will do the following: 


Tasks 


Connect to Azure AD 
© Install Microsoft Azure AD Connect Authentication Agent for Pass-Through Authentication 


User Sign 
` © Enable Pass-through authentication 


Single on 
© Enable managed authentication in Azure 
© Enable single sign-on 


V] Start the synchronization process when configuration completes. 


FIGURE 1-72 Ready to configure page. 


On the Configuration complete page, review the completed changes and select Exit. 
See Figure 1-73. 
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$È Microsoft Azure Active Directory Connect 


Configuration complete 


Tasks 
The sign on method for Azure Active Directory is Pass-through authentication. 

Connect to Azure AD 

User Sign-in 

Password hash synchronization is enabled in addition to your current sign-in method. Run the 

Customize synchronization options task to remove this optional feature if it is no longer 


required, Learn more about Optional Features 


Single sign-on 
Configure 


Provide your users a single sign-on experience by configuring Seamless SSO through Group 
Policy. Learn more 


FIGURE 1-73 Configuration complete page. 


Implement and manage Seamless Single Sign-On 
(Seamless SSO) 


Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) allow a user to 
sign in to Azure AD with the same password they use in an on-premises Active Directory. But 
the mere implementation of PHS or PTA does not provide Single Sign-On from an on-premises 
environment. Single Sign-On can be accomplished in one of two ways: 


m Primary Refresh Token (PRT) 
m Seamless Single Sign-on (Seamless SSO) 


Primary Refresh Token is available on Windows 10, Windows Server 2016, and later versions 
if the machine is Azure AD Registered, Azure AD Joined, or Hybrid Azure AD Joined. 


Seamless SSO (also known as Desktop SSO or SSSO) is available on Windows 7 and later. 
The device must be domain joined. 


We recommend using Primary Refresh Token when possible. 


NEED MORE REVIEW? SEAMLESS SSO AND PRT DOCUMENTATION 


Read more about how Seamless SSO works at: https://docs.microsoft.com/en-us/azure/ 
active-directory/hybrid/how-to-connect-sso-how-it-works 


Read about how Primary Refresh Token works at: https://docs.microsoft.com/en-us/azure/ 
active-directory/devices/concept-primary-refresh-token 
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To enable Seamless SSO in an Azure AD Connect environment, select the checkbox Enable 
single sign-on in Azure AD Connect configuration. See Figure 1-71. 


NOTE SEAMLESS SSO WITH AZURE AD CONNECT CLOUD SYNC 


To enable Seamless SSO in an Azure AD Connect cloud sync environment, follow the steps 
as described in this article: https://docs.microsoft.com/en-us/azure/active-directory/cloud- 
sync/how-to-sso 


Implement and manage Federation, excluding manual 
ADFS deployment 


Federation is one of three main authentication mechanisms that provide single sign-on in an 
Azure AD hybrid environment (the other two mechanisms are Password Hash Synchronization 
and Pass-Through Authentication, as described earlier). Azure AD can be federated with vari- 
ous identity providers. For the purposes of this book, we will use Active Directory Federation 
Services (ADFS) as an example identity provider installed on-premises that can be federated 
with Azure AD, for two reasons: first, ADFS is an identity provider created by Microsoft; second, 
the Azure AD Connect installation wizard can configure an ADFS environment for you. 


You may already have an ADFS environment with a number of relying party trusts config- 
ured. In that case, Azure AD will become one more relying party trust in that existing ADFS 
environment. Configuring Azure AD federation in existing ADFS environment is out of scope of 
this book. Manual ADFS deployment is out of scope as well. We will only cover configuring new 
ADFS environment with Azure AD Connect installation wizard. 


When Federation is configured, Azure AD redirects users to the federated identity pro- 
vider for authentication. While in the case of Password Hash Synchronization or Pass-Through 
Authentication, the user submits a password to an Azure AD page (login.microsoftonline.com), 
with Federation, a user submits a password or another credential to the federated identity 
provider. Because of that, the federated identity provider page should be exposed to the 
internet to allow users to authenticate externally. With ADFS, Web Application Proxy should be 
published to allow external connections from the internet. 

Before installation, you will need to prepare. The prerequisites include: 

m An Active Directory Domain Services environment. 
= A machine that will become an Azure AD Connect server. 
m Amachine(s) that will become an ADFS server(s). 


m Amachine(s) that will become a Web Application Proxy server(s) and have port 443 
published to the internet. 


NOTE DOMAIN MEMBERSHIP FOR SERVERS 


Azure AD Connect Server and ADFS Servers will be domain members, while Web 
Application Proxy servers won't. 
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m A PFX file with certificate for your future federation service name—for example, 
sts.northwindeletriccars.com. We recommend that the certificate should be 
publicly trusted. 


m External clients should be able to resolve the federation service name—for example, 
sts.northwindelectriccars.com—to public IP address(es) of Web Application Server(s). 


m Internal clients and Web Application Server(s) should be able to resolve the federa- 
tion service name—for example, sts.northwindelectriccars.com—to IP address(es) of 
ADFS server(s). 


m Ensure that remote management of the future Web Application Proxy servers from the 
future Azure AD Connect server is enabled: 


m On Azure AD Connect server, run Set-/tem WSMan:\localhost\Client\TrustedHosts — 
Value <DMZServerFQDN> -Force -Concatenate 


m On Web Application Proxy servers, run Enable-PSRemoting -force. 


NOTE AZURE AD CONNECT PREREQUISITES 


Read the full list of Azure AD Connect installation prerequisites at: https://docs.microsoft.com/ 
en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites 


See Figure 1-74 for the topology diagram. 


User 
Pa in 


| Access 
| 
ADFS Server ~ Web Application Proxy | 
| 
| 
Federation trust 
| 
| 
<— Synchronization —== << Synchronization > 
| A 
| 
Active Directory domain Azure AD Connect | Azure AD tenant 
Synchronization Service | 
| 
On-premises infrastructure | Cloud 


FIGURE 1-74 Federation. 
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To install Azure AD Connect and configure ADFS: 


1. 
2. 
3. 


Download Azure AD Connect from https://go.microsoft.com/fwlink/?Linkld=615771. 
Run the installation file. 


On the Welcome to Azure AD Connect screen, review the license terms and privacy 
notice, and select Continue. 


On the Express Settings page (shown in Figure 1-52), select Customize. 


On the Install required components page, select Install. See Figure 1-75 for other 
customization options available at this step. 


$ Microsoft Azure Active Directory Connect 


Install required components 


Fxpress Settings 


No existing synchronization service was found on this computer. The Azure AD Connect synchronization 
Required Components service will be installed. @ 
User Sign-In 


[] Specify a custom installation location 
[F] Use an existing SOL Server 
[] Use an existing service account 


[] Specify custom sync groups 


Import synchronization settings @ 


Previous Install 


FIGURE 1-75 Install required components page. 


On the User sign-in page, select Federation with AD FS. See Figure 1-76. 
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10. 


11. 


+ Microsoft Azure Active Directory Connect 


User sign-in 


Select the Sign On method. @ 


Express Settings 


Required Components 


ow ch S 2: 
User Sign-in Password Hash Synchronization @ 
Pass-through authentication @ 
® Federation with AD Fs @ 


Federation with Pingtederate @ 


Connect to Azure AD 
Sync 


Connect Directories 
Do not configure @ 


Azure AD sign-in 


Domain/Uu Filtering Select this option to enable single sign-on for your corporate desktop users 


Identifying users 
Enable single sign-on @ 
Filtering 


Optional Features 


Credentials 

AD FS Farm 

Azure AD domain We will install or use an existing Active Directory Federation Services (AD FS) farm. You must have 
the following: 

Configure 


e Windows Server 2012 R2 or later for the federation server 
Verify connectivity e Windows Server 2012 R2 or later for the Web Application Proxy server 
e An SSL certificate with your federation service name (example: fs.contoso.com) 


Learn more about AD FS requirements. 


Previous 


FIGURE 1-76 User sign-in page. 


On the Connect to Azure AD page, provide the credentials of the Global Administrator 
or Hybrid Identity Administrator. You may also be asked to provide a second factor of 
authentication, depending on tenant settings. 


These credentials will be used for configuration and creating another user account for 
synchronization purposes (service account). There is no need to manually create a ser- 
vice account in Azure AD. It is safe to disable the Global Administrator or Hybrid Identity 
Administrator account at a later point—for example, if an administrator that configured 
Azure AD Connect leaves the company. 


On the Connect your directories page, select Add Directory to add the current direc- 
tory to the synchronization. Provide the credentials of the enterprise administrator that 

will be used to configure the account for synchronization. Similar to the step above, it 

is safe to change the credentials or remove the enterprise administrator account later if 

needed. Select Next. 


On the Azure AD sign-in configuration page, review the list of Active Directory UPN 
suffixes provided and the corresponding Azure AD domains. Select Next. 


On the Domain and OU filtering page, include or exclude certain OUs from synchroni- 
zation if required, and select Next. 
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12. Review the settings on the Uniquely identifying your users page. If you have only one 
Active Directory forest to synchronize from, and users from that forest are synchronized 
to only one Azure AD tenant, you can typically select Next. See Figure 1-77. 


Uniquely identifying your users 


Express Settings 
Select how users should be identified in your on-premises directories e 
Required Components 
© Users are represented only once across all directories. 
User Sign-in 

User identities exist across multiple directories. Match using: 


Connect to Azure AD - 
© Mail attribute 


a ObjectsiD and mstxchMasterAccountSID/msRICSIP-OriginatorsiD attributes 


ee ee SAMAccountName and MailNickName attributes 


Azure AD sign-i or 
Azure AD sign-in A specific altribute 


Domain/OU Filtering 


identifying users 


Filtering 
Optional Features Select how users should be identified with Azure AD. @ 
Credentials ® Let Azure manage the source anchor 


AD FS farm J Choose a specitic attnbute 
Azure AD domain 
Configure 


Verify connectivity 


Azure will write back unique source anchors to your on-premises directory if mS-DS- 
ConsistencyGuid is currently unused by your organization. Learn more 


Previous 


FIGURE 1-77 Uniquely identifying your users page. 


13. On the Filter users and devices page, select the group of users and devices that should 
be synchronized. This option is supported only for pilot deployments. For production 
deployments, select Next. 


14. On the Optional features page, review the options. We recommend enabling Pass- 
word hash synchronization even if the selected authentication mechanism is Federation 
with ADFS. See Figure 1-78 for the available options. 
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@ Microsoft Azure Active Directory Connect 


Optional features 


Express Settings 
Select enhanced functionality if required by your organization, 
Required Components 


User Sign-in Exchange hybrid deployment @ 
Connect to Azure AD E xchange Mail Public Folders (?} 


syne O Azure AD app and attribute filtering @ 


Connect Directones 


Password hash synchronization @ 


Azure AD sign-in 
9 O Password writeback @ 


Domain/Ou Filtering 


O Group writeback $ 
identifying users 


Device writeback 
Filtering e 


Optional Features C Directory extension attribute syne @ 
Credentials 

Learn more about optional features. 
AD FS Farm 
Azure AD domain 
Configure 


Verify connectivity 


Previous 


FIGURE 1-78 Optional features page. 


15. On the Domain Administrator credentials page, provide the Domain Administrator 
credentials for the domain where the ADFS server will be installed. 


16. On the AD FS farm page (shown in Figure 1-79), provide the PFX file with the certificate 
described in the prerequisites section. 


@ Microsoft Azure Active Directory Connect 


Express Settings AD FS farm 


Required Components 


i] Configure a new AD FS farm 


User Sign-in 
Connect to Azure AD Use an existing AD FS farm 
sync 

Connect Directories Provide a password protected PFX file containing the SSL certificate that will be used to secure the 
communication between clients and AD FS. 


CERTIFICATE FILE @ 
ae, SIME ~~ =" \sts_northwindelectriccar] 


Azure AD sign-in 


Domain/OU Filtering 


identifying users 
Filte 
NO SUBJECT NAME 


Optional Features 
ás n sts.northwindelectriccars Jiandi wiis Sori ~ 


Credentials 
AD FS Farm FEDERATION SERVICE NAME 
Federation server https://sts.northwindelectriccars : prabe wn cows 
Proxy server 
Service account 


Azure AD domain 


Configure 


Venty connectivity 


FIGURE 1-79 ADFS farm page. 
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17. On the AD FS Server page, add the names of future ADFS servers and select Next. 


18. 


19. 


On the Web Application Proxy server page, add the names of future Web Application 
Proxy servers and select Next. 


On the AD FS service account page, keep Create a group Managed Service Ac- 
count selected, provide the credentials of the Enterprise Administrator, and select Next. 
See Figure 1-80. 


$ Microsoft Azure Active Directory Connect 


PEII N AD FS service account 


Required Components 
l t Specify the AD FS service log on account. @ 
User Sign-In 


Connect to Azure AD [| Create a group Managed Service Account 


sync ” 4 

f Use an existing group Managed Service Account 
Connect Directories 
Azure AD sign-in Use a domain user account 
Domain/AU Filtering 


ENTERPRISE ADMIN USERNAME @ 
NORTHWINDELECTR\azureadministrator 


Identifying users 


Filtering 

Optional Features ENTERPRISE ADMIN PASSWORD 
Credentials seecccccescseceseee 
AD FS Farm 


Federation server 
Proxy server 
Azure AD domain 
Configure 


Verify connectivity 


Previous 


FIGURE 1-80 AD FS service account page. 


20. On the Azure AD domain page, select a custom domain name that will be converted 


from Managed to Federated state. Select Next. See Figure 1-81. 
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Express Settings 
Required Components 
User Sign-in 
Connect to Azure AD 
Sync 
Connect Directories 
Azure AD sign in 
Domain/OU Filtering 
identifying users 
Fittenng 
Optional Features 
Credentials 
AD FS Farm 
Federation server 


Proxy server 


Azure AD domain 


Contigure 


Verify connectivity 


+ Microsoft Azure Active Directory Connect 


Azure AD domain 


Select the Azure AD domain to tederate with your an premises directory. 


Domain: @ 
northwindelectriccars fps amet toe oeri ~ 


ii The northwindelectriccars. dpsie sees domain is managed and will be converted to a 
{| federated domain. User logins will be disrupted during this process. Learn more 


Previous 


FIGURE 1-81 Azure AD domain page. 


See Figure 1-82. 


Express Settings 
Required Components 
User Sign-in 
Connect to Azure AD 
Sync 
Connect Directories 
Azure AD sign in 
Domain/OU Filtering 
identifying users 
Filtenng 
Optional Features 
Credentials 
AD FS Farm 
Federation server 
Proxy server 


Service account 


Azure AD domain 


Contigure 


Verify connectivity 


Des Microsoft Azure Active Directory Connect 


21. On the Ready to configure page, review the proposed changes and select Install. 


Ready to configure 


Once you click Install, we will do the following: 


* Configure synchronization services on this computer 


northwindel: 


* Configure federation service st ccars aa a on 1 server(s). 
+ Configure the Web Application Proxy on 1 server(s). 


© Configure Azure AD trust for northwindelectnccars Qakew 


[7] Start the synchronization process when configuration completes. 
[M] Enable staging mode: when selected, synchronization will not export any data to AD or Azure AD. 


Previous Install 


FIGURE 1-82 Ready to configure page. 
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22. On the Configuration complete page, select Next. 


23. On the Verify federation connectivity page, select both checkboxes and select 
Verify. See Figure 1-83. 


Verify federation connectivity 


Clients must be able to resolve your federation service endpoints from both the intranet and extranet to 
successfully log in. You must configure domain name resolution for your service before verification will 
succeed, 


V] | have created DNS A records or DNS AAAA records that allow clients to resolve my federation 
service (sts.northwindelectriccars. desid . ) from the intranet. 


| have created DNS A records that allow clients to resolve my federation service 
(sts.northwindelectriccars, ® r ) from the extranet. 


After your on-premises directory has finished synchronizing with Azure Active Directory, use 
the Verify federated login additional task to verify a federated user can successfully log in. 


FIGURE 1-83 Verify federation connectivity page. 


24. Ensure that verification was successful and select Exit. 

25. Open Azure AD Connect using the desktop shortcut. 

26. On the Welcome to Azure AD Connect page, select Configure. 
27. On the Additional tasks page, select Manage federation. 

28. On the Manage federation page, select Verify federated login. 


29. On the Connect to Azure AD page, provide the credentials of the Global Administrator 
or Hybrid Identity Administrator. 


30. Provide credentials of the synchronized user. 


31. Ensure that you see the message Successfully logged into Microsoft Online using a 
security token from AD FS with the provided user credentials and select Exit. 
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32. Disable WS-Trust endpoints for the extranet usage by running the following commands 
on the primary ADFS server: 


Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport 
-Proxy $false 

Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport 
-Proxy $false 


NEED MORE REVIEW? SECURITY BEST PRACTICES FOR ADFS 


Read more about security reasons for this configuration at: https://docs.microsoft.com/ 
en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs 


33. Enable Extranet Lockout Protection to protect your users from brute force password at- 
tacks from the internet by running the following command on the primary ADFS server: 
Set-AdfsProperties -EnableExtranetLockout $true 


NEED MORE REVIEW? ADFS EXTRANET LOCKOUT PROTECTION 


Read more about ADFS Extranet Lockout Protection at: https://docs.microsoft.com/en-us/ 
windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection 


Implement and manage Azure AD Connect Health 


Azure AD Connect Health helps to monitor on-premises components of your hybrid environment: 


m= Azure AD Connect Health Synchronization Engine 
m Active Directory Domain Services (ADDS) 
m Active Directory Federation Services (ADFS) 


Azure AD Connect Health relies on agents that work on respective servers in an on-prem- 
ises environment: Azure AD Connect servers, domain controllers, and ADFS servers. Azure 
AD Connect Health agents need outbound connectivity to Azure AD Connect Health service 
endpoints in the cloud. Installation procedures vary depending on the agent used—for the 
synchronization engine, domain controllers, or ADFS. 


The Azure AD Connect Health agent for Synchronization Engine is installed automatically 
when you install Azure AD Connect. No manual installation steps are required. 
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To monitor the status of your Azure AD Connect Synchronization Engine, open Azure 
portal > Azure AD Connect Health > Sync services. You will see a list of Azure AD Connect 
servers with health agents installed. See Figure 1-84. 


© | A Azure Active Directory Connect’ x L 


€ A https://portal.azure.com/#blade/Microsoft Azure ADHybridHealth/AadHealthMenuBlade/Sync “S 


LAMINA HEALTHCARE COMPANT. 
Home > Azure Active Directory Connect Health 
b Azure Active Directory Connect Health | Sync services # » x 


Lemna Healthcare Company 


Ẹ Quick start 6 View Azure AD Cloud Provisioneng sernce health > 


Azure Active Directory Connect (Sync) 


D Fine 
@ sync errors [> Find. J 
G r > r 
b Sync services Service Name Ty Active Alerts Ty Last Updated Ty Status Ty 
lamnahealthcare.onmucros. 0 2/9/2022, 9:45:28 PM © Healthy 


Active Directory Federation Services 
te AD FS services 

Active Directory Domain Services 
AD DS services 

Configure 

gS Settings 

B Role based access contro! (AM) 
TROUBLESHOOTING + SUPPORT 
Æ Troubleshoot 


R New support request 


FIGURE 1-84 Azure Active Directory Connect Health, Sync services page. 


Select a service name to view the run profile latency chart for the last 24 hours. 


To view individual synchronization errors, open Azure portal > Azure AD Connect 
Health > Sync errors. See Figure 1-85. 
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© | A Azure Active Directory Connect: x (+ -= o x 


€ G Ê hittps://portal.azure.com/#blade/Mic t. w = O $ 
LAMINA HEALTHCARE COMPANT. 

Home > Azure Active Directory Connect Health 

Azure Active Eiiectony Connect Health | Sync errors 2 = x 

Lemna Healthcare Company 


+ Export ©) Notification Settings 
$F Quick start 
Sync Error by Type 
Azure Active Directory Connect (Sync) = 
Duplicate Attribute Data Mismatch Data Validation Failure Large Attribute 


@ sync errors AsdSyneSeevee-lamnsheaitnes Aagsynccerice Umnaneaitnca Asdyynesenice-lamnaheaitnes AadsyncService lamnanesithea 
> Sync services 
Active Directory Federation Services 


ue AD FS services 1 0 0 0 


Active Directory Domain Services 


Federated Domain C Pe Admin Role ... Other 
iÀ ADDS services AndiSyr Servic e-lamnabeaithes Kyra Servicestamnaheatthe a AaciSyricServiceslannabeaithe a 
Configure 
& Settings 


B Role based access contro! (IAM) 0 0 0 


TROUBLESHOOTING + SUPPORT 
Æ Troubleshoot 


R New support request 


FIGURE 1-85 Azure Active Directory Connect Health, Sync errors page. 


The Azure AD Connect Health agent for ADFS should be installed manually. To install the 
Azure AD Connect Health agent on ADFS servers: 


1. Download the Azure AD Connect Health agent for ADFS from https:/go.microsoft.com/ 
fwlink/?LinkID=518973. 


2. Run the installation file. 


3. On the first screen, review the Microsoft Azure Subscription Agreement and select 
Install. See Figure 1-86. 


Q Azure AD Connect Health AD FS Agent Setup = x 


Azure AD Connect Health AD FS 
Agent 


Microsoft Azure AD Connect Health Agent is designed for use solely in conjunction 
with Azure Active Directory. This agent will collect and transmit configuration, event 


log and login data to Microsoft Azure Active Directory for the purposes of monitoring 
and providing you with additional insights into operational activity (including logins). 


Microsoft Azure Subscription Agreement. 


Version 3.1.113.0 Instal 4 E Close 


FIGURE 1-86 Azure AD Connect Health AD FS Agent 
Setup page. 
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4. 


On the Setup Successful page, select Configure Now. See Figure 1-87. 


à Azure AD Connect Health AD FS 


VB Agent 
Setup Successful 


» Learn More 


Configure Now Close 


FIGURE 1-87 Azure AD Connect Health ADFS Agent 
Setup Successful page. 


Sign in with a Global Administrator account. 

Review the result of script execution. You may receive a warning that auditing isn't en- 

abled (this will be covered below). 

(Optional) To get Usage Analytics collected by the Azure AD Connect Health AD FS 

Agent, enable auditing: 

A. Inthe Local Security Policy, add the ADFS service account to the Security Set- 
tings\Local Policies\User right assignment\Generate security audit policy. The 
ADFS service account name is typically DOMAIN\aadcsvc$. 


B. Run the following command in an elevated command prompt: auditpol.exe / 
set /subcategory: {0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable / 
success:enable 
C. Run the PowerShell command Set-AdfsProperties -AuditLevel Verbose 
D. If agent registration previously completed with warnings, restart agent registration by 
running the PowerShell command Register-AzureADConnectHeal thADFSAgent 
Repeat steps 1-6 on Web Application Proxy servers. There is no need to enable auditing 
on them. 
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Once Azure AD Connect Health Agents for ADFS are installed and configured, they will 
start reporting health data. You can view their status at Azure portal > Azure AD Connect 
Health > AD FS services. See an example in Figure 1-88. 


oO iA Azure Active Directory Connect: X EE = o x 
< G Â https://portalazure.com/#blade/Microso! ybridHealth/AadHealthMenuBlade/Adiss.. Y  @© 9 
Microsoft Azure P Search resources, services, and docs (G+/) es VasaPetr@northwindele... 
NORTHWIND ELECTRIC CARS (N. 
Home > Azure Active Directory Connect Health 
ə Azure Active Directory Connect Health | AD FS services 2 » x 
Northwind Electric Cars 
P Find .. 
G Quick start MERE 7 
Service Name Ty Active Alerts TL Last Updated ta Status ts 
Azure Active Directory Connect (Sync) sts.northwindelectricear.. 0 2/12/2022, 3:53:21 AM © Healthy 


@ sync errors 

> Sync services 
Active Directory Federation Services 
te AD FS services 
Active Directory Domain Services 
lA AD DS services 
Configure 
& Settings 
R Role based access control (LAM) 
TROUBLESHOOTING + SUPPORT 
Æ Troubleshoot 


2 New support request 


FIGURE 1-88 Azure Active Directory Connect Health | AD FS services page. 
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Use Azure AD Connect Health for ADFS to: 


m View Properties of your ADFS configuration. See Figure 1-89. 


O | A Properties - Microsoft Arure x + - oO x 
¢ G Č) https://portalazure.com/#biade/Microsoft Azure ADHybnid > & @ © 
1 m G fa] VasaPetr@northwindele... 
+ ~ £ fi & @ g 
Microsoft Azure A Search resources, services, and docs (G+/) a Wa ` @ pera portale DEN 

Home > Azure Activ y Connect Health > sts.northwindelectriccars. #gime** ses .com 

Properties 

sts. northwindelec trccars, teem ener a Corr 

s http://stsnorthwindelectriccars anaemia ~ com/adhs/services/t 
IDENTIFIER 
rust 

PRIMARY WID SERVER ADFS1 

SERVICE ACCOUNT NorthwindelectricCars.com\aadesves 

AAD TRUST Configured 

FARM BEHAVIOR LEVEL 4 (2019 Mode) 

APPLICATIONS 1 

IDENTITY PROVIDERS 1 

CONFIGURATION STORE Data source np: \pipem: krosofteewid asa query:initial 

Catalog» AdtsConfigurationV4:integrated Secunty= True 

AUTOCERTIFICATEROLLOVER | 

ENABLED N 

Service-Communications CN=sts.northwindelectriccars imtme. ¢ 

Token-Decrypting 1 + sts.northwindelectric 

Token Signing (a sts.northwindelectriccar. 

4 


FIGURE 1-89 Azure Active Directory Connect Health for ADFS, Properties page. 


m View alerts such as Extranet Lockout Protection Disabled for ADFS or The Windows 
Transport endpoint is enabled. It is recommended that the endpoint be disabled 
from the extranet due to a known security vulnerability. 


= Configure notification settings. 


= Monitor the number of token requests per second on ADFS servers and Web Applica- 
tion Proxies. See Figure 1-90. 
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O| A ssnorhwindetectriccarsiahe x | 


= ð x 
€ G È https//portal.azure.com/#biade/Microsoft Azure ADHybrid AadHealthMenuBlade/AdtsS >s c o 9 
AA © Search resources, services, and docs (G+/) Ja Z a & © Ææ VasaPetr@northwindele.. @ 


NORMAND TUCTMC CARS N GP 
Home > Azure Active Directory Connect Health 


sts.northwindelectriccars. ay » +s %»4.com 


@) Delete 


Monitoring 


Token Requests /sec from the last 24 hours 


FIGURE1-90 Azure Active Directory Connect Health for ADFS, Monitoring section. 


= Monitor bad password attempts. 


NEED MORE REVIEW? AZURE AD CONNECT HEALTH FOR ADFS 
Read more about Azure AD Connect Health for ADFS at: 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adfs 


A third component of Azure AD Connect Health (along with Azure AD Connect Health for 


Sync and Azure AD Connect Health for ADFS) is Azure AD Connect Health for ADDS. 


Download Azure AD Connect Health Agent for ADDS from https://go.microsoft.com/ 
fwlink/?LinkID=820540. 


The installation procedure is like the one for Azure AD Connect Health Agent for ADFS. 
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To use Azure AD Connect Health for ADDS, open Azure portal > Azure AD Connect 
Health > AD DS services and select the forest name. See Figure 1-91. 


A NorthwandtlectneCars.com- Mic x | 


tps://portal.azure.com/#blade/W = 


oft Azur r “ J 
> A m ~ & & VasaPetr@northwindele... © 
Microsoft Azure Ø Search resources, services, and docs (G+/) Gas @ & o eraa pa 


Home > Azure Active Directo onnect Health 


NorthwindElectricCars.com 


settings ©) Refresh [i Delete 


Essentials “~ KV Ak 
Forest name 
NorthwindElectricCars.com 


Domain naming m 


role 


oe Sche o 
dct NorthwindElectricCars.com 


det .NorthwindElectricCars.com 


Domain Controllers, Domains and Sites 


(6) NorthwindElectricCars.com 
(2 of 2 DCs monitored) 


D Domains 


1 DOMAINS 


sites 
® 1 SITES 


Replication Status 
NorthwindElectricCars.com 


FIGURE 1-91 Azure Active Directory Connect health for ADDS 


Use Azure AD Connect Health for ADDS to: 

m View domain controllers, domains, and sites. 

m View replication status. 

m View alerts. 

= Configure notification settings. 

= Monitor LDAP Successful Binds/sec for each domain controller. 
= Monitor NTLS Authentications/sec for each domain controller. 


= Monitor Kerberos Authentications/sec for each domain controller. 
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Troubleshoot synchronization errors 


As with many other solutions, troubleshooting of Azure AD Connect can be done on many lev- 
els—depending on the complexity of the problem, level of configuration customization, and 
skills of a troubleshooting person. For the purposes of this book, we will focus on troubleshoot- 
ing using the Azure AD Connect wizard. 


To troubleshoot synchronization using the Azure AD Connect wizard: 

1. Ensure that the PowerShell execution policy is set to RemoteSigned or Unrestricted. 
2. Open the Azure AD Connect wizard. 

3. On the Welcome to Azure AD Connect page, select Configure. 


4. On the Additional tasks page, select Troubleshoot and then select Next. See 
Figure 1-92. 


$ Microsoft Azure Active Directory Connect 


Additional tasks 


The required tasks for the scenario have been completed. Choose from the list below to perform 
additional tasks. 


Privacy settings 

View or export current configuration 
Customize synchronization options 
Contigure device options e 
Refresh directory schema 

Configure staging mode 

Change user sign-in 

Manage federation @ 


Troubleshoot 


FIGURE 1-92 Azure AD Connect, Additional tasks page. 


5. Onthe Welcome to AADConnect Troubleshooting page, select Launch. 


6. The PowerShell-based troubleshooting tool will be displayed with a list of options. 
See Figure 1-93. 
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£3 Administrator Windows PowerShell - o x 


E 


Enter 
Enter 
Ent 
Enter ' 
Enter ' 


Please make a selection: w 


FIGURE 1-93 AAD Connect Troubleshooting. 


Enter ‘1’ - Troubleshoot Object Synchronization 

Enter ‘2’ - Troubleshoot Password Hash Synchronization 
Enter ‘3’ - Collect General Diagnostics 

Enter ‘4’ - Configure AD DS Connector Account Permissions 
Enter ‘5’ - Test Azure Active Directory Connectivity 

Enter ‘6’ - Test Active Directory Connectivity 

Enter ‘Q’ - Quit 

Please make a selection: 


7. Proceed with the desired troubleshooting option. For example, to continue with object 
synchronization, press 1 and hit Enter. 


8. Object synchronization options are displayed in Figure 1-94. 
£3 Administrator Windows PowerShell 


AADConnect Troubleshooting 


Enter Troubleshoot Object Synchronization 

Enter bl Hash nchronization 
Enter gnostic 

Enter Connector Account Permissions 
Ent ie eg A > Directory Connecti y 


a selection: 1 


Enter '1' bject < es 

Enter ia e "i at Issues 

Enter Diagnose Group Membership Synchronization Issues 

Enter '4' How to ch e Exchange Online primary email ad ss 

Enter How to hide mailbox from E inge Online global address list 

Enter '6' Compare obj read permis ns when running in context of AD Connector account 
Admin ac 

Enter Go back to main troubleshooting menu 

Enter ie Quit 


Please make a selection: „n 


FIGURE 1-94 AAD Connect Troubleshooting, Troubleshoot Object Synchronization step. 
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Enter ‘2’ - Diagnose Attribute Synchronization Issues 

Enter ‘3' - Diagnose Group Membership Synchronization Issues 

Enter ‘4’ - How to change Exchange Online primary email address 

Enter ‘5’ - How to hide mailbox from Exchange Online global address list 


Enter ‘6’ - Compare object read permissions when running in context of AD Connector 
account vs Admin account 


Enter ‘B’ - Go back to main troubleshooting menu 
Enter ‘Q’ - Quit 
Please make a selection: 


Select the desired option. For example, if option 1 (Diagnose Object Synchronization 
Issues) is selected, you will be asked to provide the AD object Distinguished Name. 
Then, you will be asked to provide the Azure AD tenant Global Administrator or Hybrid 
Identity Administrator credentials. 


Review the problems found, recommended actions, and the generated HTML report. 
See Figure 1-95. 


EM Administrator: Windows PowerShell - o x 


Please consider to follow one of the options given below: 


suffix th AAD Tene 
licGoran@lamnahealth ' as Azure Active Dir 
lamnahea lth e.com" with AAD Tenant “lamnahealthcare 
fy a domain nan vith AAD Tenant, please see: https: //go.microsoft.com/fwlink/?1ink| 


2- Alternative UPN Suffix 
As another option, you may consider adding an alternative UPN suffix to your on-premises accounts. 
772 


Please see: https: //go-.microsoft.com/fwlink/?1inkid=86¢ 


incipalName" Cmdlet y : : 
ismatch, if u are only interested in changing AAD Tenant 
ibute prefix and/or suffix, then run AAD Powershell cmdlet " 
me . 
In order to learn about the cmdlet, please see: https://go.-microsoft.com/fwlink/?1inkid=866303 


Opening the html report in Internet Explorer... 


Did you find this tool helpful about the "UPN Mismatch due to Non-Verified UPN Suffix" iss 


FIGURE 1-95 AAD Connect Troubleshooting shows the result of object synchronization 
troubleshooting. 
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Chapter summary 


Azure AD roles can have permissions in Azure AD, permissions for Microsoft 365 prod- 
ucts, or permissions across a Microsoft 365 stack. 


Azure AD roles can be built-in or custom. 


Role assignment includes the security principal, role information, scope, and type of 
assignment. 


The scope of assignment can be Directory, Administrative unit, or an Azure AD resource. 


The type of assignment can be permanent eligible, permanent active, time-bound 
eligible, or time-bound active. 


The UserPrincipalName (UPN) consists of a UPN prefix (user account name) and UPN 
suffix (domain name) divided by the @ symbol. 


After adding a new custom domain name to the tenant, you need to verify it—i.e., prove 
that you own the domain name by configuring DNS records. 


Registering a device in Azure AD is beneficial for single sign-on, signing in to the device 
with Azure AD credentials, device-based conditional access, and mobile device man- 
agement enrollment scenarios. 


Three device join types are available in Azure AD: Azure AD Registration, Azure AD Join, 
and Hybrid Azure AD Join. 


Azure AD Registration is for Bring Your Own Device (BYOD) scenarios. 
Azure AD Join and Hybrid Azure AD Join are for corporate Windows 10/11 devices. 


A Hybrid Azure AD Joined device is a member of an on-premises AD domain, registered 
in Azure AD on top of that. 


All three options (Azure AD Registration, Azure AD Join, and Hybrid Azure AD Join) 
provide single sign-on (SSO) to Azure AD. 


Control the Hybrid Azure AD Join process for members of an on-premises domain by 
managing Service Connection Points (SCP). 


Use Seamless SSO in situations where a Primary Refresh Token (PRT) is not available. 
Place resources to administrative units for the purpose of delegating permissions. 


Use the Access management for Azure resources toggle to grant Global Administrator 
control over subscriptions associated with a tenant. 


Security groups are used for granting access to resources. 


Microsoft 365 groups are used for collaboration between users, as well as between us- 
ers and guests. 


Group nesting is supported only between Security groups. 
Use dynamic groups to configure attribute-based rules to populate group memberships. 


Use Azure AD Self-Service Group Management to allow users to create and manage 
their groups. 
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Use Group expiration policy to automatically remove Microsoft 365 groups that are no 
longer in use. 


Set the UsageLocation attribute for users before assigning Microsoft 365 licenses. 


Use Azure AD B2B to invite business partners to your tenant and provide them access to 
applications and resources. 


Limit guests’ permissions with the Guest user access restrictions setting. 


Use Guest invite restrictions to limit who can invite guests. By default, any member or 
guest can invite new guests. 


Use Azure AD Connect to synchronize objects between an on-premises environment 
and Azure AD, configure hybrid authentication, and monitor the health of the hybrid 
environment. 


One Azure AD Connect server can synchronize with multiple on-premises AD forests 
but only one Azure AD tenant. 


Use staging Azure AD Connect servers to test configuration and as a standby. 


In a hybrid environment, authentication methods available include Password Hash Syn- 
chronization (PHS), Pass-Through Authentication (PTA), and Federation. 


Use Password Hash Synchronization as a recommended hybrid authentication method. 


Azure AD Connect cloud sync is a new synchronization service that utilizes lightweight 
agents on-premises and a synchronization engine in the cloud. 


Use Azure AD Connect Health to monitor the Azure AD Connect synchronization en- 
gine, on-premises ADDS environment, and ADFS environment. 


Thought experiment 


In this thought experiment, you demonstrate your skills and knowledge of the topics covered 
in this chapter. You can find the answers in the section that follows. 


You are an enterprise administrator for a company that starts its Microsoft 365 journey. You 
have three on-premises AD forests that have forest trusts between them. You need to config- 
ure synchronization of users, groups, and devices identities between the on-premises environ- 
ment and an Azure AD tenant that you are about to create. 


Today, all corporate Windows 10 devices are joined to an on-premises AD domain and man- 
aged through Group Policy Objects. You need to provide single sign-on from these devices to 
Azure AD, keeping them joined to an on-premises domain for the time being. 


What device registration model you will choose for corporate Windows 10 devices? 


What synchronization mechanism will you use to synchronize identities between the 
on-premises environment and Azure AD? 


What authentication method will you configure for the hybrid environment? Assume 
that there are no additional requirements beyond those explicitly stated above. 
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Thought experiment answers 


This section contains the solutions to the thought experiment. Each answer explains why the 
choice is correct. 


1. 


2. 


Hybrid Azure AD Join. Hybrid Azure AD Joined devices are members of the on-premises 
domain and registered to the Azure AD tenant at the same time. 


Azure AD Connect. Azure AD Connect cloud sync doesn't support synchronization 
of device identities at the time of writing. On-premises forests having trusts between 
them is not a prerequisite for Azure AD Connect deployment, but it signals that 
there is network connectivity between forests, which is a prerequisite for Azure AD 
Connect deployment. 


Password Hash Synchronization is the recommended authentication method because it 
doesn’t have dependency on the on-premises environment for every sign-in. 
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Implement an authentication 
and access management 
solution 


Attacks on user accounts/passwords have increased significantly in recent years. Common 
brute force and password spray attacks are extremely effective against plain text passwords. 
Furthermore, leaked credentials are sold on the dark web, allowing anyone to instantly gain 
access to tens of thousands of user accounts and passwords. The root cause of these attacks 

is that passwords alone are ineffective in countering the level and sophistication of attacks 
against them. Azure AD offers robust multifactor authentication mechanisms that help safe- 
guard access to critical organizational resources by adding another layer of security through 
the use of a secondary form of authentication. Azure AD also offers fine- and coarse-grain ac- 
cess Management solutions, such as condition access, which enables organizations with varying 
security posture requirements to implement policies that meet their business requirements. 


Skills covered in this chapter: 


m Skill 2.1: Plan, implement, and manage Azure Multifactor Authentication (MFA) and 
self-service password reset 


m Skill 2.2: Plan, implement, and manage Azure AD user authentication 
m Skill 2.3: Plan, implement, and manage Azure AD conditional access 
m Skill 2.4: Manage Azure AD Identity Protection 


m Skill 2.5: Implement access management for Azure resources 
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Skill 2.1: Plan, implement, and manage Azure 
Multifactor Authentication (MFA) and self-service 
password reset 


To improve the security posture of an organization and to mitigate threats associated with 
passwords, it is highly recommended to incorporate a multifactor option to authenticate the 
user. Adding an additional factor to user authentication immediately improves account secu- 
rity because a hacker must compromise additional factors to compromise the account. 


Azure provides a range of options for configuring multifactor authentication (MFA) which 
requires careful planning and administration. 


This skill covers how to: 

m Plan Azure MFA deployment, excluding MFA Server 

= Configure and deploy self-service password reset 

= Implement and manage Azure MFA settings 

m Manage MFA settings for users 

m= Extend Azure AD MFA to third-party and on-premises devices 
= Monitor Azure AD MFA activity 


Plan Azure MFA deployment, excluding MFA Server 


Azure Multifactor Authentication (MFA) requires you to authenticate using two or more factors 
to establish identity successfully. These factors follow this pattern: 


= Something you know: this could be a password, a passphrase, or a security question. 


= Something you possess: this could be a token-generating device or a software-based 
application, such as a mobile app. 


= Something you are: this could be a biometric property of a person, such as a face scan, 
fingerprint, or retina scan. 


Azure MFA offers several options for user authentication to enable two-step verification. 
The underlying theme of two-step verification is to protect the sign-in process by making it in- 
crementally more difficult for a malicious actor to compromise the account while also ensuring 
that the sign-in process is not cumbersome. For example, during a sign-in process, some users 
might prefer to enter their password followed by receiving a push notification on their device, 
whereas others might prefer to make a phone call because they do not have access to a smart 
device. As you will see in the following sections, carefully evaluating various authentication op- 
tions is critical for Azure MFA end user adoption. 
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Determining a rollout strategy for Azure MFA 


You need to think strategically about the rollout of Azure MFA within an organization. Striking 
aright balance between deployment velocity and its scope is the key to a successful rollout. 
Following are key points to keep in mind: 


m Plan the deployment in small iterations by starting with a small subset of users who are 
receptive to change and whose daily tasks are least impacted by the rollout. 


m Provide users with clear guidance regarding the registration process along with the MFA 
methods available to them for authentication. 


m Continuously monitor for any issues reported by users, including steep learning curves, 
lack of preferred authentication methods, and technical challenges that may hamper 


the adoption. 


m Ensure that support staff are trained well in advance before the rollout. 


m Anticipate some resistance from a subset of users due to the change in their daily routine. 


Licensing requirements for Azure MFA 


Azure MFA licensing can be configured in a variety of ways. Understanding how licensing 
affects the availability of various MFA features to end users is an important part of planning. 
Table 2-1 provides a high-level breakdown of various Azure MFA features along with Azure AD 
and Microsoft 365 license requirements. 


TABLE 2-1 Azure AD licenses and high-level MFA features 


License Type 


Azure Active Directory Free 


Azure Active Directory Premium P1 


Azure Active Directory Premium P2 


EMS E3, Microsoft 365 E3, and Microsoft 
365 Premium 


EMS E5 and Microsoft 365 E5 


Description 


ncludes security default features that prompt users for MFA as 
needed and provides baseline security to user accounts. 


Same as Azure Active Directory Free. 


ncludes the Azure AD Conditional Access feature, which allows 
implementation of fine-grain organization policies for MFA. 


Same as Azure Active Directory Premium P1. 
ncludes support for risk-based conditional access policies. 


ncludes Azure Active Directory Premium P1 features 
(as described above). 


ncludes Azure Active Directory Premium P2 features 
(as described above). 
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NEED MORE REVIEW? FEATURES AND LICENSES FOR AZURE AD MFA 


Read more about the different ways Azure MFA can be licensed and used at: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/ 
concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication 


Table 2-2 lists the commonly used Azure AD MFA and access management features, as well 
as the Azure AD licenses that support them. 


TABLE 2-2 Azure AD licenses and specific MFA features 


Feature Azure AD Free Azure AD P1 Azure AD P2 
Mobile app as a second factor Yes Yes Yes 
Phone call as a second factor No Yes Yes 
SMS as a second factor No Yes Yes 
Custom greetings for phone calls No No Yes 
Custom caller ID for phone calls No Yes Yes 
Conditional Access No No Yes 
Risk-based conditional access No No Yes 


Configure and deploy self-service password reset 


Self-service password reset (SSPR) is a feature in Azure AD that allows users to change their 
password without seeking help from support or an IT administrator. With SSPR, users can 
follow a series of prompts to reset their password to unlock their account if they forget their 
password. It also helps the organization in saving costs because support staff can focus on 
other urgent matters. 


To enable service-service password to reset: 
1. Signin as a Global Administrator to the Azure portal at http://portal.azure.com. 
2. Navigate to Azure Active Directory. 


3. Select Password Reset from the left-side pane, as shown in Figure 2-1. 
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FIGURE 2-1 Password reset 


4. On the Properties page, under the Self service password reset enabled option, 


+ Add v 


S ee Scorch resources, services and docs (G+/) a & a 


Monitoring Tutorials 


Bi Enterprise appications Basic information 
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select All, as shown in Figure 2-2. This will enable all users in the tenant to reset their 


password using SSPR. You can also choose a specific group by selecting the option 
Selected, which will only allow users in that group to reset their password. 


Microsoft Arure P Search resources, services, and docs (G+/) 


Home > Contoso Corp > Password reset 
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FIGURE 2-2 Password reset properties. 


5. Click Save. 
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Register an authentication method for self-service password reset 


Follow the steps below to sign in as a user and register a phone number that will be used 
during SSPR. 


1. Signin as a user to the My Sign-Ins portal at: https://mysignins.microsoft.com. 


2. On the Keep your account secure page, enter the phone number and click Next, 
as shown in Figure 2-3. A text code will be sent to the phone number provided. 


Contoso Corp 


Keep your account secure 


Your organization requires you to set up the following methods of proving who you are. 


Phone 


You can prove who you are by texting a code to your phone. 


What phone number would you like to use? 


United States (+1) { 


@) Text me a code 


Message and data rates may apply. Choosing Next means that you agree to the Terms of service and Priva 
Next 
Lwant to set up a different method Skip setup 


FIGURE 2-3 Phone number validation via SMS message. 


3. Enter the text code received on the phone number and click Next. Figure 2-4 shows a 
sample text code sent to the phone number registered in the previous step. 
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Contoso Corp 


Keep your account secure 


Your organization requires you to set up the following methods of proving who you are. 


Phone 


We just sent a 6 digit code to Enter the code below. 
440214 


Resend code 


Lwant to set up a different method Skip setup 


FIGURE 2-4 Phone number verification via 6-digit code. 


You should see SMS verified. Your phone was registered successfully message, 
as shown in Figure 2-5. Click Next. 


Contoso Corp 


Keep your account secure 


Your organization requires you to set up the following methods of proving who you are. 


Phone 


6 SMS verified. Your phone was registered successfully. 


Skip setup 


FIGURE 2-5 Phone number registration success. 
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Click Done to complete the phone number registration process for SSPR, as shown in 
Figure 2-6. 


Contoso Corp 


Keep your account secure 


Your organization requires you to set up the following methods of proving who you are. 


Success! 


Great job! You have successfully set up your security info. Choose “Done” to continue signing in. 


Default sign-in method: 


R Phone 


FIGURE 2-6 Security configuration information completion success message. 


You can close the browser. You don't need to finish the sign-in process at this time. 


Reset password using Self Service Password Reset 


Follow the steps below to reset the user's password using Self Service Password Reset: 


1. 


2. 
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Navigate to the URL https://passwordreset.microsoftonline.com/ using an InPrivate or 
Incognito browser session. 


Enter the user's Email or Username and complete the CAPTCHA check, as shown in 
Figure 2-7, and then click Next. 
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3. 


Microsoft 


Get back into your account 


Who are you? 
To recover your account, begin by entering your email or username and the Characters in the picture or audio below. 


Email or Username: * 


| arse onmicrosoft.com | 


Example: user®@contose.onmicrosoft.com or user®contose.com 


« 


NAMNE & 


VOSVOQLMX 
Enter the characters in the picture of the words in the audio. * 


Ka ee 


HE Merosot ©2021 Microsoft Corporation Legal  Privecy 


FIGURE 2-7 Get back into your account using email or username. 


Microsoft 


Get back into your account 
verification step 1 > choose a new password 


Piease choose the contact method we should use for verification: 


Oor my mobe phone In order to protect your account, we need you to enter your complete mobile 
below. You will then receive a text message 
WRN a verification code which can be used to reset your password. 


[ws ] 


HE Merosot ©2021 Microsoft Corporation Legal Privacy. 


Support code 


FIGURE 2-8 Enter a phone number. 
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Enter the phone number associated with the account, as shown in in Figure 2-8, and then 
press Text. A text message with a verification code will be sent to this phone number. 
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4. Enter the verification code, as shown in in Figure 2-9, and then then press Next. 


Microsoft 


Get back into your account 
verification step 1 > choose a new password 


Please choose the contact method we should use for verification: 


Tot my mobte phone We've sent you a text message containing a verification code to your phone. 


Bl Microsoft ©2021 Micresoft Corporation Legal Privacy Support code 


FIGURE 2-9 Phone number verification. 


5. Enter the new password, as shown in in Figure 2-10, and then click Finish. 


Microsoft 


Get back into your account 
verification step 1 7 > choose a new password 


* Confirm new password 


Bl Microsoft ©2021 Micresoft Corporation Legal Privacy Support code 


FIGURE 2-10 Enter new password. 
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6. Thesuccess message “Your password has been reset” will appear on the page, 
as shown in Figure 2-11. This confirms that the user account password has been reset 
successfully. You can now close the browser. 


Microsoft 


Get back into your account 
© Your password has been reset 


FIGURE 2-11 Password reset success. 


Implement and manage Azure MFA settings 


The steps below demonstrate how to set up and manage Azure MFA settings. Please note that 
you must have an active Azure subscription in order to complete the tasks in this skill and the 
others in this chapter. To sign up for a free trial subscription, visit https://azure.microsoft.com/ 
en-us/offers/ms-azr-0044p/ 


1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 

3. Select the Security option located under the Manage section on the left side, as shown 
in Figure 2-12. 
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FIGURE 2-12 Azure AD home page with Security option. 


4. Select the MFA option located under the Manage section on the Security page, as 
shown in Figure 2-13. 


Microsoft Azure 


Home > Contoso Cloud ke] 


w Security | Getting started x 


Azure Active Directory offers a range of security features to protect your organization To learn more, here are some leatures to start with 


Protect 
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D New support request 


FIGURE 2-13 Azure AD Security page with MFA configuration options. 
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Select the Additional cloud-based MFA settings link located under Configure, as 


shown in Figure 2-14. This will open a new page with all available options for MFA. 
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FIGURE 2-14 Azure AD Multi-Factor Authentication (MFA). 


By default, all available MFA verification options are selected, as shown in Figure 2-15. 
You can deselect one or more of these verification options as needed based on your 
MFA planning. It is recommended that users have at least more than one MFA method 
available to them in case the primary method is unavailable. Please review Table 2-3 for 


more details about each MFA setting available on this page. 
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FIGURE 2-15 Azure AD MFA service settings. 


TABLE 2-3 Azure AD MFA service settings 


Setting Description 
App passwords =m Allow users to create app passwords to sign in to non-browser 
apps 
m Do not allow users to create app passwords to sign in to non- 
browser apps 
Trusted IPs Allow bypass of multifactor authentication prompts for users who 


sign in from a defined IP address range 


Verification Options These are all the available verification options available for MFA: 
m Call to phone 

m Text message to phone 

m Notification through mobile app 

m Verification code from mobile app or hardware token 


Remember MFA on trusted device | When enabled, this option allows users to skip subsequent MFA 
verifications for a set number of days (up to 365 days) after success- 
fully signing in using MFA on a trusted device. 
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In addition to MFA service settings, Azure AD also provides miscellaneous configuration 
options for MFA, as summarized in Table 2-4. 


TABLE 2-4 Azure AD MFA settings 


Setting Description 


Account lockout Temporarily lock accounts using MFA service when there are many denied authenti- 


cation attempts in a row. This applies only to users who enter a PIN to authenticate. 
The following settings are available: 

Ææ Number of MFA denials that trigger account lockout 

Æ Minutes until account lockout counter is reset 

Æ Minutes until account is automatically unlocked 


Block/unblock users Blocked users will not receive MFA requests. Users will remain blocked for 90 days 


from the time they are blocked. Blocked users can be manually unblocked by the 
administrator using the “Unblock” action. 


Fraud alert The fraud alert allows users to report fraudulent MFA attempts because of a suspi- 


cious MFA prompt—for example, when an MFA prompt is from an unknown source. 

Users can use their phone or the Microsoft authenticator app to report the fraudu- 

lent MFA attempt. There are two configuration options available: 

Æ Automatically block users who report fraud: This option blocks user accounts re- 
porting the fraud for 90 days or until an administrator unblocks the account. 

E Code to report fraud during initial greeting: This option allows customizing the 
code (the default is 0) that the user enters to report a fraud before pressing #. 


Notifications Email notifications are sent to identity administrators when users report a fraud alert. 


OATH tokens OATH time-based one-time password (TOTP) SHA-1 tokens that refresh codes every 


30 or 60 seconds are supported. OATH tokens are uploaded in a comma-separated 
values (CSV) file format. See https://docs.microsoft.com/en-us/azure/active-directory/ 
authentication/howto-mfa-mfasettings#oath-tokens. 


Phone call settings Enables customization of the caller ID and voice greeting message that the user re- 


ceives during an MFA attempt. 


When the caller ID is not customized, by default voice calls come from the phone 
number "+1 (855) 330-8653” within the United States. Make sure the user is aware of 
this number and that it is excluded from any spam filters. 


Manage MFA settings for users 


Administrators can manage the following MFA settings for a specific user: 


Phone number: Configure phone number used by the user to perform MFA via either 

SMS or a voice call. 

Email address: Configure the email address of the user. The email can be used for self- 
service password reset (SSPR) but not for an MFA option. 

Revoke existing MFA session: Remove any existing MFA sessions for the user and force 
MFA the next time the policy on the device requires it. 

Force re-registration of MFA: Clears the user's remembered MFA sessions and requires 
them to perform MFA the next time it’s required by the policy on the device. 


Reset Password: Assigns a temporary password to a user account, which must be 
changed by the user during their next sign-in. 
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To configure phone authentication methods and the email address of a user: 
1. Sign in as an administrator to the Azure portal at http://portal.azure.com. 
2. Navigate to Azure Active Directory. 


3. Select Users from the left pane, as shown in Figure 2-16. 
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FIGURE 2-16 Azure AD Users option. 


4. On the Users page, select the user you'd like to configure the authentication method for 
MFA. You can use the search bar, as shown in Figure 2-17. 
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FIGURE 2-17 Azure AD All users. 


5. Select Authentication methods from the left side, as shown in Figure 2-18. 
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FIGURE 2-18 Azure AD Authentication methods. 
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6. 


7. 


Fill in the following information: 


m Phone: This is the phone number used during the MFA authentication. Make sure 
there is a space between the region/country code and the phone number. For 
example, +1 1224567890. 


m Phone: This is the alternate phone number used during the MFA authentication in 
case the primary phone number is not available. 


m Email: The email address used during MFA authentication. An email address alone 
cannot be used for MFA. 


Click the Save button located on the top row, as shown in Figure 2-19. 
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FIGURE 2-19 Azure AD Authentication contact info. 


Extend Azure AD MFA to third-party and on-premises devices 


To help you safeguard third-party and on-premises devices, Microsoft Intune can be used with 
Azure Active Directory (Azure AD) Conditional Access to mandate multifactor authentication 
(MFA) for device activation. MFA functions by requiring any two or more of the verification 
techniques listed below: 


= Something you are aware of (typically a password or PIN) 


= Something you possess (a reliable item that is difficult to copy, such as a phone) 


= Something that identifies you physically (biometrics, such as a fingerprint) 
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MFA is supported for iOS/iPadOS, macOS, Android, and Windows 8.1 or later devices. Please 
note that when end users enroll their device, they now must authenticate with a second form of 
identification, such as a PIN, a phone, or biometrics. More information about extending MFA on 
devices can be found at https://learn.microsoft.com/en-us/mem/intune/enrollment/multi-factor- 
authentication#configure-intune-to-require-multifactor-authentication-at-device-enrollment. 


Monitor Azure AD MFA activity 


The Azure Active Directory (Azure AD) sign-ins report can be used to review and understand 
Azure AD Multi-Factor Authentication events. This report provides the following insights: 


m Was the sign-in hampered by MFA? 

m How did the user finish MFA? 

m Which methods of authentication were used during a sign-in? 
m Why couldn't the user complete MFA? 

m How many users were asked to provide MFA? 

= How many users failed the MFA challenge? 

m What are the most common MFA issues that end users face? 


Step-by-step instructions on how to access the sign-ins report can be found at 
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa- 
reporting#view-the-azure-ad-sign-ins-report. 


Skill 2.2: Plan, implement, and manage Azure AD 
user authentication 


When a user signs in to a device, application, or service, one of the primary functions of an 
Azure AD is to authenticate credentials. However, in Azure AD, there are multiple options for 
user authentication that go beyond simply verifying a username and password and provide a 
range of security protections such as phishing resistance, biometrics, and so on. 


This skill covers how to: 

m Plan for authentication 

m Implement and manage authentication methods 

m Implement and manage Windows Hello for Business 

= Implement and manage password protection and smart lockout 
m Implement certificate-based authentication in Azure AD 


= Configure Azure AD user authentication for Windows and Linux virtual machines 
on Azure 
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Plan for authentication 


Planning for authentication is an important part of determining which method provides the 
best combination of usability and security. Traditionally, username and password is the most 
popular authentication method used to verify user credentials. However, it is also the least 
secure method because it is easy to launch a brute force attack against the passwords. To im- 
prove security, it is highly recommended to replace the password or at least use an additional 
authentication method for sign-ins. Azure AD provides a range of passwordless MFA methods 
to the users. 


Users can use Azure AD passwordless authentication methods such as FIDO2 security keys, 
Windows Hello for Business, and the Microsoft Authenticator app during sign-ins. 


Table 2-5 provides a summary of various authentication methods that can be used for 
sign-ins. Please note that some of these methods can be used for both MFA and self-service 
password reset (SSPR). (SSPR is covered in a later section.) 


TABLE 2-5 Azure AD authentication methods and usage. 


Authentication method Usage 
Password Azure AD MFA and SSPR 


Microsoft Authenticator Azure AD MFA and SSPR 


app Available to users using iOS and Android operating system. Users may reg- 
ister their mobile app at https://aka.ms/mfasetup. By using the Microsoft 
Authenticator app, users receive push notifications on their smartphone or 
tablet and then reject or approve the request. Users can also use the Microsoft 
Authentication app to generate an OATH verification code. During the sign-in 
process, this verification code can be used as a second form of authentication. 


Voice call Azure AD MFA and SSPR 

Voice call is placed by the Azure automated voice system to the user's phone 
number. The user receives the call and then must use a keypad to confirm or deny 
the authentication. 


Text messages Azure AD MFA and SSPR 

A text message containing a time-bound verification code is sent by Azure MFA 
via SMS to the user's mobile phone. The user must enter this verification code 
during the sign-in process within the specific time period to complete the verifi- 
cation process. 


FIDO2 Security Key Azure AD MFA and SSPR 

Fast Identity Online (FIDO) is an open standard for passwordless authentication. 
The user first needs to register a FIDO2 security key and then select it at the time 
of sign-in for authentication purposes. FIDO2 security keys are available in the 
form of USB devices, Bluetooth, and NFC. 


Windows Hello for Azure AD MFA and SSPR 

Business Windows Hello for Business (WHfB)is a fully integrated biometric authentica- 
tion method based on facial recognition or fingerprint matching. Users need 
Windows 10 or a later version of the Windows operating system to use WHfB to 
sign in to Azure Active Directory. 
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OATH software token Azure AD MFA and SSPR 


Users can use the Microsoft Authenticator app or other similar authenticator 
apps that can generate software-based OATH tokens to sign in to Azure Active 
Directory. 


OATH hardware token Azure AD MFA and SSPR 


OATH is an open standard to generate one-time password (OTP) verification 
codes. Azure Active Directory natively supports hardware-based OATH time- 
based one-time password SHA-1 tokens with 30 seconds or 60 seconds validity. 
Users can use hardware devices from their preferred vendors, which are compat- 
ible with OATH standards to generate OTPs and use them to sign in to Azure 
Active Directory. 


EXAM TIP 


When evaluating various authentication methods for MFA, keep in mind the overall context 
of the scenario provided in the question. For example, using the Microsoft Authentica- 

tor app might be a convenient option for certain demographics that may have access to a 
smartphone with a reasonable internet connection. However, a phone call may be a better 
option if the targeted demographic lacks access to smartphones or has intermittent internet 
connectively. Usually, the best choice of an MFA method is a combination of various factors, 
such as cost, adoption, and security. 


Implement and manage authentication methods 


As part of the Azure AD sign-in experience, basic password-based authentication should be 
supplemented or replaced with a more secure authentication method such as FIDO. 


Working with FIDO2 


The Fast IDentity Online (FIDO) Alliance’s goal is to replace passwords with strong passwordless 
authentication that is both secure and usable. The latest version of the open specification for 
passwordless authentication, FIDO2, incorporates the W3C Web Authentication (WebAuthn) 
standard as well as the FIDO Client to Authenticator Protocol 2 (CTAP2). Users can sign in using 
an unphishable FIDO2 security key stored in a hardware device that can be accessed via com- 
monly used protocols such as NFC (near-field communication), Bluetooth, and USB. 


FIDO2 security keys can be used to sign in to Azure AD or hybrid Azure AD-joined devices 
to achieve single-sign-on to cloud and on-premises resources. 


NEED MORE REVIEW? PASSWORDLESS AUTHENTICATIONS AND COMBINED 
REGISTRATION FEATURES 


Read more about passwordless authentications’ reliance on the combined registration 
feature at: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- 
authentication-passwordless-security-key#enable-the-combined-registration-experience. 
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Enabling the FIDO2 security key method 
To enable the FIDO2 security key method for Azure AD: 


1. Sign in as an administrator to the Azure portal at http://portal.azure.com. 


2. Navigate to Azure Active Directory. 


3. Select Security from the left pane, as shown in Figure 2-20. 
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FIGURE 2-20 Azure AD home page with Security option. 


Select Authentication methods from the left pane, as shown in Figure 2-21. 
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FIGURE 2-21 Azure AD Security settings with the Authentication methods option. 


5. Select FIDO2 Security Key from the list of available methods, as shown in Figure 2-22. 
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FIGURE 2-22 Azure AD Authentication methods. 
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6. Under the Basics tab, choose the following options, as shown in Figure 2-23. 


m Enable: Yes 


= Target: All users 


= Microsoft Azure 
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FIGURE 2-23 Azure AD FIDO2 Security Key settings. 


Under the Configure tab, choose following options, as shown in Figure 2-24. 
Allow self-service set up: Yes 


Enforce attestation: No (Default) 


Enforce key restrictions: No (Default) 


Restrict specific keys: Block (Default) 


1283 CHAPTER2 Implement an authentication and access management solution 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


= Microsoft Azure 2 Search resources, services, and docs {G+/) 


Hame > Cantase Claud > Security 


Authentication methods 


FIDO2 Security Key settings 


Basics Configure 


GENERAL 


Allow self-service set up eam ~ 
Enforce attestation -e ED 
KEY RESTRICTION POUCY 


Enforce key restrictions (vs EP 


Restrict specific keys 


No AAGuids have been added. 


FIGURE 2-24 Azure AD FIDO2 Security Key configuration options. 


8. Click Save. 


Register a FIDO2 security key 


The user must configure a FIDO2 security key using the steps below before it can be used for 
sign-in: 


1. Navigate to the URL https://myprofile.microsoft.com/ 


Sign in with the user account for which FIDO2 security key needs to be configured. 


Select Security info, as shown in Figure 2-25. Make sure there is at least one Azure AD 


MFA method already registered; otherwise, you must first register for an MFA method 
before you can register a FIDO2 security key. 
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FIGURE 2-25 My Sign-Ins Security info. 


4. Select Security key from the dropdown and click Add, as shown in Figure 2-26. 


Add a method 
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Security key 
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FIGURE 2-26 Adding a security key as an authentication method. 


5. Choose the type of security key, USB device or NFC device, that you would like to use, 


as shown in Figure 2-27. 


Security key 
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f USB device 


® NFC device 


Cancel 


FIGURE 2-27 Security key type selection screen. 
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6. Complete the registration process by creating or using a PIN for the security key and 
then perform a biometric or touch for the gesture. 


7. Provide a meaningful name for the key and select Next. 


8. Finally, select Done to finish the process. 


Sign in with passwordless credentials using a FIDO2 security key 


The steps below demonstrate how to sign in with passwordless credentials using a FIDO2 
security key. 


1. Signin to the Azure portal at https://portal.azure.com/ using the account for which a 
FIDO2 security key is already registered. 


2. Complete the sign-in process by providing the security key. For example, Figure 2-28 
shows the pop-up message presented by the browser asking a user who has previously 
registered the security key using a USB device to use it to finish the authentication process. 


Sa Microsoft 
Sign in with Windows Hello or a 
security key 


Your PC will open a security window. Follow the 
instructions there to sign in. 


Windows Security 
Making sure it’s you 
Please sign in to 


This request comes from Microsoft dge. published by Microsoft 
Corporation, 


8 


Insert your security key into the USB 
port. 


FIGURE 2-28 Sign-in process with security key. 


3. After the successful passwordless authentication using the security key, the user will be 
taken to the Azure portal (https://portal.azure.com), as shown in Figure 2-29. 
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FIGURE 2-29 The Azure portal. 


Implement and manage Windows Hello for Business 


Windows Hello for Business allows users to use strong two-factor authentication to replace 
passwords on their Windows 10 or Windows 11 devices. Users are given a credential that is 
linked to their device and uses a biometric or PIN for authentication. Users can also use Win- 
dows Hello for Business to authenticate and sign in to Azure Active Directory, Active Directory, 
Microsoft Account, or any FIDO2-enabled service. 


Keep the following key characteristics in mind when implementing Windows Hello for Business: 


m The credentials for Windows Hello are based on a certificate or an asymmetrical key 
pair. Windows Hello credentials can be bound to a device, and the token obtained with 
the credential can also be bound to the device. 

= During the registration process, the identity provider (such as Active Directory, Azure 
AD, or a Microsoft account) validates user identity and maps the Windows Hello public 
key to a user account. 

m Depending on the policy, keys can be generated in the hardware Trusted Platform 
Module (TPM), v1.2 or v2.0 for enterprises and v2.0 for consumers or through software. 
When using TPM, the private key never leaves the device. During the registration pro- 
cess, the authenticating server assigns a public key to the user account. 
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m Two-factor authentication is used, which combines a key or certificate tied to a device 
with something the person knows (a PIN) or something physically associated with the 
person (biometrics). 


m For keys, both personal (Microsoft account) and corporate (Active Directory or Azure 
AD) accounts use the single container. 


= To help ensure user privacy, all keys are separated by identity providers’ domains. 


m The Windows Hello gesture is not shared with the server and does not roam 
between devices. 


m Templates for biometrics are kept locally on a device. 
m PINs are never saved or shared. 


Table 2-6 lists various Windows Hello for Business features that help improve the overall 
security posture. 


TABLE 2-6 Windows Hello for Business features 


FEature Description 


Dual Enrollment This feature enables administrators to enroll both non-privileged and privileged 
credentials to perform elevated administrative functions on their device. 


https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for- 
business/hello-feature-dual-enrollment 


Requirements: 

m Hybrid and On-premises Windows Hello for Business deployments 
m Enterprise joined or Hybrid Azure joined devices 

m Windows 10, version 1709 or later 

m Certificate trust 


Dynamic Lock This feature allows users to enhance security of their Windows device by config- 
uring it to lock automatically when a Bluetooth- paired device signal falls below 
the maximum Received Signal Strength Indicator (RSSI) value. 


Requirements: 
m Windows 10, version 1703 or later 


Multifactor Unlock These features allow Windows 10 and Windows 11 devices to be configured such 
that users require a combination of authentication factors and trusted signals to 
unlock their devices. https://docs.microsoft.com/en-us/windows/security/identity- 
protection/hello-for-business/feature-multifactor-unlock 


Requirements: 
m Windows Hello for Business deployment (Hybrid or On-premises) 


@ Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises 
deployments) 


m Windows 10, version 1709 or newer, or Windows 11 
E Bluetooth, Bluetooth-capable phone (optional) 


Remote Desktop This feature allows a remote desktop connection to a server or another device 
using a certificate deployed to a Windows Hello for Business container. 


Requirements: 

m Windows 10 

m Windows 11 

m Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments 
@ Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices 
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PIN Reset 


Conditional Access 


( ] EXAM TIP 


This feature enables users to reset a forgotten PIN using the lock screen or from the 
sign-in options available in the Settings console. https://docs.microsoft.com/en-us/ 
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset 


Requirements: 
m Windows 10, version 1709 or later 
m Windows 11 


Azure Active Directory conditional access policies can be applied on devices us- 
ing Windows Hello for Business. This enables organizations to apply an advanced 
set of conditions when a user tries to access a resource. 


https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for- 
business/hello-feature-conditional-access 


Requirements: 
@ Azure Active Directory 
m Hybrid Windows Hello for Business deployment 


Authentication with Windows Hello for Business is always key-based or certificate-based. 


That makes it more secure than Windows Hello, which relies on a connivence PIN technique 


that isn't backed up by certificate-based authentication or asymmetric encryption 


(public/private key): https://docs.microsoft.com/en-us/windows/security/identity- 


protection/hello-for-business/hello-overview#the-difference-between-windows-hello-and- 


windows-hello-for-business 


When implementing Windows Hello for Business, you have many options to choose from. 
By providing multiple options, nearly every organization will be able to deploy Windows Hello 
for Business. The availability of numerous options makes the deployment appear complex; 
however, most organizations will realize they've already implemented most of the infra- 
structure required for the Windows Hello for Business deployment. It is critical to recognize 
that Windows Hello for Business is a distributed system that requires careful planning across 
multiple teams within an organization. Table 2-7 lists the most common Windows Hello for 
Business deployment types. 


TABLE 2-7 Windows Hello for Business deployment types 


Deployment type 
Cloud only 


Hybrid 


On-premises 


Description 


The cloud-only deployment model is appropriate for organizations that only have 
cloud identities and do not need access to on-premises resources. These organiza- 
tions typically connect their devices to the cloud and rely solely on cloud resources 
such as Exchange Online, SharePoint Online, Microsoft Teams, etc. Furthermore, 
because these users do not use on-premises resources, they do not require certifi- 
cates for services such as VPN, as everything they require is hosted in Azure. 


The hybrid deployment model is intended for businesses that are using federa- 
tion with Azure Active Directory or using Azure Active Directory connect using 
Azure Active Directory-hosted applications and want a single sign-in user experi- 
ence for both on-premises and Azure Active Directory resources. 


The on-premises deployment model is intended for organizations that do not 
have cloud identities or use Azure Active Directory-hosted applications. 
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NEED MORE REVIEW? HOW WINDOWS HELLO FOR BUSINESS WORKS 


Read more about how Windows Hello for Business deployment type devices work at: 
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/ 


hello-planning-guide 


Implement and manage password protection and 
smart lockout 


Azure AD Password Protection enables organizations to detect known weak passwords and 
block them from usage by the users. It also has capability to detect any variation of these weak 
passwords and block those from being used by the users. Azure AD Password Protection main- 
tains a global banned passwords list, which is applied automatically to all users in the directory. 
In addition to the default global list of banned passwords, an organization can create their 
own custom list of banned passwords to meet their specific security requirements. Whenever 

a password is created or reset, it is checked against the banned password list, and only after it 
passes the check is the user allowed to use that password. 

Azure AD Password Protection is available both for cloud-only users and for users who are 
synchronized from on-premises AD DS. The next section covers Azure AD Password Protection 
for cloud-only users, while a later section will cover deployment requirements and the con- 
figuration steps needed to enable Azure AD Password Protection for users synchronized from 
on-premises AD DS. 


í Q EXAM TIP 


While the global banned passwords list is available with an Azure AD Free license, the ability 
to create and use custom banned passwords requires an Azure AD Premium P1 or P2 license. 


Licensing requirements 
The licensing requirements for global and custom banned password lists are as follows: 
m Azure AD Password Protection with global banned password list: Cloud-only users 


require Azure AD Free, and users synchronized from on-premises AD DS require an 
Azure AD Premium P1 or P2 license to use this feature. 

= Azure AD Password Protection with custom banned password list: Both cloud-only 
users and users synchronized from on-premises AD DS require an Azure AD Premium P1 
or P2 license to use this feature. 
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Configure custom banned password list 
The steps below show how to configure a custom banned password list: 
1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select the Security option located under the Manage section on the left side, as shown 
in Figure 2-30. 
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FIGURE 2-30 Azure AD home page with the Security option. 


4. Select Authentication methods. 


5. Select Password protection, as shown in Figure 2-31. 
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FIGURE 2-31 Password protection. 


6. Set the Enforce custom list option to Yes, as shown in Figure 2-32. 
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FIGURE 2-32 Enforce custom list. 
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7. Specify custom passwords to ban using the multi-line text box available for the Custom 
banned password list. Make sure to enter one term per line, as shown in Figure 2-33. 
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FIGURE 2-33 Custom banned password list. 


Consider the following restrictions while creating a custom banned password list: 
= A maximum of 1000 terms are allowed per list. 

m The minimum term length is 4 characters. 

m The maximum term length is 16 characters. 


m Terms are case-insensitive. For example, Northwind, NorthWind, northwind, north- 
WIND, and norTHwinD are all considered identical terms. 


m The list considers common character substitutions, such as “o” and “0” or “a” and "@.” 


8. Click Save. Keep all other settings at their default values. It may take up to several hours 
before the custom banned password list is fully applied. 
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Testing a custom banned password list 


The steps below show how to test a custom banned password list: 


1. 


2. 


Sign in to Attps://mysignins.microsoft.com/ using the user account. You will change the 
password for this account in the next step. 


Select CHANGE PASSWORD, as shown in Figure 2-34. 
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FIGURE 2-34 My Account. 


On the Change Password page, enter the current password in the Old password 


textbox and then enter a new password containing a term that’s on the custom banned 
password list that you defined earlier—for example, “Northwind100%." 


Click Submit. You will get an error message, as shown in Figure 2-35. This message 
indicates that the password you entered contains words or characters that are banned 


by the administrator. 
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FIGURE 2-35 Change password failure due to a custom banned password list. 


5. Click Cancel to leave the page without changing the password. Alternatively, you can 
choose a new password that does not contain terms that are listed within the banned 
password list. 


6. Finally, close the browser. 


Planning for on-premises Azure AD Password Protection deployment 


The Azure AD Password Protection feature allows using the same global and custom banned 
password lists that are stored in Azure AD for on-premises passwords. Technically, these checks 
are performed whenever a password is reset or changed using on-premises AD DS domain 
controllers. 

Plan for deployment of Azure AD Password Protection on-premises by verifying the follow- 
ing core requirements: 


m Account with Active Directory domain administrator privileges in the forest root. 
m Universal C Runtime installation on all machines where Azure AD Password Protection 
components are installed. This also includes a domain controller. 


m Key Distribution Service (KDC) should be enabled on all domain controllers running 
Windows Server 2012 or later. 


Implement an authentication and access management solution 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


m Network access to the following two endpoints from machines where the Azure AD 
Password Protected service is installed: 


= Azure AD Password Protection functionality: https://login.microsoftonline.com 


m Authentication Requests: https://enterpriseregistration.windows.net 


m Atleast one domain controller must be able to connect with one server running proxy 
service for Azure AD Password Protection. Specifically, the domain controller must be 
able to access RPC endpoint mapper port 135 and the RPC server port on the host run- 
ning the proxy service. 


= Download Azure AD Password Protection for Windows Server Active Directory software 
installation files from the Microsoft Download Center: https://www.microsoft.com/en- 
us/download/details.aspx?id=57071. 


m AzureADPasswordProtectionProxySetup.exe 


m AzureADPasswordProtectionDCAgentSetup.msi 


Install and configure Azure AD Password Protection on-premises 


Table 2-8 summarizes the tasks that must be completed for successful installation and con- 
figuration of the Azure AD Protection proxy service in your environment. Please use the links 
provided for each task in Table 2-8 to follow detailed step-by-step instructions provided by 
Microsoft. These instructions are kept up to date by Microsoft, and it is highly recommended 
that you follow them as-is without customizations. 


TABLE 2-8 Azure AD Password Protection installation and configuration task list 


Task 


Azure AD Password Protection 
proxy service installation 


Configure the proxy service 
to communicate through an 
HTTP proxy 


Configure the proxy service to 
listen on a specific port 


Description 


The Azure AD Password Protection proxy service is installed on a member 
server located within an on-premises AD DS environment. Its role is to 
communicate with Azure AD and maintain a copy of global and custom 
banned password lists. For step-by-step installation instructions, please read 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/ 
howto-password-ban-bad-on-premises-deploy#install-and-configure-the- 
proxy-service. 


Configure the HTTP proxy that the Azure AD Password Protection service will 
use to communicate with Azure AD. This step is optional. For step-by-step 
configuration instructions, please read https://docs.microsoft.com/en-us/ 
azure/active-directory/authentication/howto-password-ban-bad-on-premises- 
deploy#configure-the-proxy-service-to-communicate-through-an-http-proxy. 


m The Azure AD Password Protection proxy service and DC agent commu- 
nicates via RPC over TCP. The default configuration for the proxy service 
allows it to listen to any available RPC port, but this behavior can be 
changed by configuring it to use a specific port. This step is optional. 

E For step-by-step configuration instructions, please read https://docs. 
microsoft.com/en-us/azure/active-directory/authentication/howto-pass- 
word-ban-bad-on-premises-deploy#configure-the-proxy-service-to-listen- 
on-a-specific-port. 
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Table 2-9 summarizes the task that must be completed for successful installation and 
configuration of the Azure AD Protection DC service. Please use the link provided for the task 
in Table 2-9 to follow detailed step-by-step instructions provided by Microsoft. These instruc- 
tions are kept up to date by Microsoft, and it is highly recommended that you follow them as-is 


without customizations. 


TABLE 2-9 Azure AD Password Protection DC agent service installation and configuration tasks list 


Task 


Azure AD Password Protection 
DC agent service installation 


Description 


The Azure AD Password Protection DC agent service installation can be 
automated using standard MSI procedures. For step-by-step configura- 
tion instructions, please read https://docs.microsoft.com/en-us/azure/ 
active-directory/authentication/howto-password-ban-bad-on-premises- 
deploy#install-the-dc-agent-service. 


After the successful installation and configuration of the Azure AD Password Protection 
proxy and DC agent service, follow the steps below to enable Azure AD Password Protection 
for on-premises environments: 


1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select the Security option located under the Manage section on the left side. 


4. Select Authentication methods. 


5. Select Password protection. 


6. Set Enable password protection on Windows Server Active Directory to Yes, as 
shown in Figure 2-36. Leave the Mode set to Audit. 
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FIGURE 2-36 Password protection for Windows Server Active Directory. 


7. Click Save. 
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NEED MORE REVIEW? AUDIT MODE VERSUS ENFORCE MODE 


Read more about Azure resource roles vs Azure AD directory roles at: 


https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password- 


ban-bad-on-premises-operations-modes-of-operation 


Configure smart lockout thresholds 


Azure AD smart lockout helps safeguard user accounts by locking out potential malicious ac- 


tors who use brute force, password spray, or similar attack techniques to guess the passwords. 


Azure AD smart lockout works by locking the user account from sign-in attempts for one min- 
ute after several consecutive failed attempts. The lockout acts as a shield to protect the user 
account from being attacked from bots in an automated fashion. The exact number of failed 
attempts threshold resulting in the user account being locked depends on the type of Azure 
Cloud where the Azure AD tenant is located. For Azure Public Cloud and Azure China, the 
failed attempts lockout threshold is 10; for Azure US Government, the failed attempts lockout 
threshold is 3. 


NEED MORE REVIEW? HOW AZURE AD SMART LOCKOUT WORKS 


Read more about how Azure AD smart lockout works at: https://docs.microsoft.com/ 


en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart- 


lockout-works. 


The default lockout values can be customized to match organizational needs. Please note 
that customizations to smart lockout values require an Azure AD Premium P1 or higher user 
license. The following steps show how to change the lockout threshold and duration: 


Sign in to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


Select the Security option located under the Manage section on the left side. 
Select Authentication methods. 
Select Password protection. 


Set the Lockout threshold and Lockout duration in seconds to values that match 
your needs. 


For example, Figure 2-37 shows the Lockout threshold set to 5, which means the ac- 
count will be locked after 5 failed sign-in attempts by the user, and Lockout duration 
in seconds is set to 90. Keep in mind that if the first sign-in attempt after the lockout 
also fails, then the account locks out again. If a user account keeps getting lockouts 
repeatedly, the lockout duration increases over time. The exact duration by which the 
lockout increases is not released publicly as a safety measure to avoid malicious actors 
from exploiting it. 
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FIGURE 2-37 Lockout threshold and Lockout duration in seconds. 


7. Click Save. 


4 Q EXAM TIP 
When a user account is locked by the smart lockout feature, it cannot be unlocked by the 
administrator, who must wait for the lockout period to expire. In this case, the user can use the 
self-service password reset feature (SSPR) to unlock the account by resetting their password. 


Implement certificate-based authentication in Azure AD 


For applications and browser sign-in, Azure Active Directory (Azure AD) certificate-based 
authentication (CBA) enables users to authenticate directly with X.509 certificates against their 
Azure AD account. 

Following are some key advantages of using Azure AD CBA: 

= Improved user experience: Users who require certificate-based authentication can 


now directly authenticate against Azure AD without the need for federated AD FS. 


= Ease of deployment: Azure AD CBA is a free feature that does not require any paid 
editions of Azure AD to use, nor does it require complex on-premises deployments or 
network configuration, because users authenticate directly against Azure AD. 


m Security: On-premises passwords do not need to be stored in any form in the cloud, 
and CBA works in tandem with conditional access features and authentication strength 
capability to enforce MFA. 
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In CBA, the username binding policy aids in the validation of the user's certificate. To deter- 
mine the user, the Subject Alternate Name (SAN) PrincipalName in the certificate is mapped to 
the UserPrincipalName attribute of the user object by default. Table 2-10 shows the four sup- 
ported binding methods. In general, mapping types are high-affinity if they are based on identi- 
fiers that cannot be reused (such as Subject Key Identifiers or SHA1 Public Key). These identifiers 
provide greater assurance that only one certificate can be used to authenticate the user. 


TABLE 2-10 Azure AD CBA certificate bindings 


Certificate Example values in certificateUserlds User object attributes Tyne 
mapping Field yp 
PrincipalName m "X509:<PN>adam@contoso.com” m userPrincipalName m low-affinity 
m onPremisesUser 
PrincipalName 
m certificateUserlds 
RFC822Name m "X509:<RFC822>user@woodgrove.com” | Œ userPrincipalName m low-affinity 
onPremisesUser 
PrincipalName 
certificateUserlds 
X509SKI m "X509:<SKI>123456789abcdef" |= certificateUserlds m high-affinity 
X509SHA'1PublicKey | m “X509:<SHA1-PUKEY>123456789abcdef" |= certificateUserlds m high-affinity 


When a user uses CBA to authenticate to Azure AD, the user's sign-ins log will show the 
X.509 Certificate as the authentication method, as shown in Figure 2-38. 
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FIGURE 2-38 Azure AD user sign-in using X.509 certificate. 
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The following scenarios are supported by Azure AD CBA: 


User sign-ins to web browser-based applications on all platforms. 
User sign-ins to Office mobile apps, including Outlook, OneDrive, and so on. 
User sign-ins on mobile native browsers. 


Support for granular authentication rules for multifactor authentication by using the 
certificate issuer Subject and policy OIDs. 


Configuring certificate-to-user account bindings by using any of the certificate fields: 

m Subject Alternate Name (SAN) PrincipalName and SAN RFC822Name 

m Subject Key Identifier (SKI) and SHA1PublicKey 

Configuring certificate-to-user account bindings by using any of the user object attributes: 
m User Principal Name 

= onPremisesUserPrincipalName 


m CertificateUserlds 


The following scenarios are not supported by Azure AD CBA: 


Certificate Authority hints aren't supported, so the list of certificates that appears for 
users in the certificate picket UI isn’t scoped. 


Only one CRL Distribution Point (DP) for a trusted CA is supported. 

The CDP can be only HTTP URLs. Azure AD CDA does not support Online Certificate 
Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs. 
Configuring other certificate-to-user account bindings, such as using the Subject, Sub- 
ject + Issuer, or Issuer + Serial Number, are not available in this release. 


More information on configuring Azure CBA can be found at https://learn.microsoft.com/ 
en-us/azure/active-directory/authentication/how-to-certificate-based-authentication. 


Configure Azure AD user authentication for Windows and 
Linux virtual machines on Azure 


By integrating with Azure AD authentication, organizations can improve the security of Win- 
dows and Linux virtual machines (VMs) in Azure. Azure AD can be used as a primary authenti- 
cation platform for: 


Windows Server 2019 Datacenter edition and later 
Windows 10 1809 and later 
Windows 11 


Linux virtual machines 


More details on configuring Azure AD login for a Windows VM is available at 
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in- 


azure-ad-windows#enable-azure-ad-login-for-a-windows-vm-in-azure. 
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More details on configuring Azure AD login for a Linux VM is available at https://learn. 
microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#enable- 
azure-ad-login-for-a-linux-vm-in-azure. 


Skill 2.3: Plan, implement, and manage Azure AD 
conditional access 


Conditional access, at its core, offers organizations the ability to enable users to be productive 

anywhere and whenever they want while also protecting the organization's resources. Organi- 

zations use Azure AD conditional access to apply the fine-grain access control policies required 
to secure resource access. Conditional Access collects signals from a variety of sources to make 
decisions and enforce organizational policies. 


This skill covers how to: 

m Plan conditional access policies 

m Implement conditional access policy assignments 
= Implement conditional access policy controls 

= Test and troubleshoot conditional access policies 
m Implement session management 

= Implement device-enforced restrictions 

= Implement continuous access evaluation 


m Create a conditional access policy from a template 


Plan conditional access policies 


Azure AD conditional access policy in a nutshell is an “if-then” statement. It is a powerful tool for 
organizations to implement rich access control policies, since it allows implementing both fine- 
grain and coarse-grain access control. Following are a few examples of conditional access policies: 


m Ifthe user belongs to HR Azure AD group and is requesting access to the HR application, 
then only grant access if the request is made from a device that is marked as compliant. 


m Ifthe user belongs to the Global Administrator role, has a high sign-in risk, and is 
requesting access to the Azure portal, then only grant access after the user successfully 
completes both the MFA challenge and a password reset. 


m Ifthe user belongs to a United States Sales Azure AD group, is making a request from a 
location outside of the United States (location based on IP Address), and is requesting 
access to a Microsoft 365 cloud application, then block the request. 
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m Ifa request is made by any user in the Azure AD directory to access LegacyHRApp ap- 
plication, then block the request. 


m If a request is made by any user in the Azure AD directory to access cloud application 
using legacy authentication, then block the request. 


m Ifa request is made by any user in the Azure AD directory to access any cloud applica- 
tion, then only grant access if they have signed Terms of Use (ToU) successfully. 


Azure AD includes a handy What If tool that allows you to simulate the behavior of condi- 
tional access policies without running them. This aids in the planning of conditional access poli- 
cies by providing visibility into potential user impact. Figure 2-39 shows the What If tool with 
input parameters, and Figure 2-40 shows the result of the What If tool. 


Microsoft Azure P Search resources, services, and docs (G+/) G 

Home Test AAD | Security > Security | Conditional Access > Conditional Access | Policies 
What If 
Policies 

©) Info ÂP Gor feedback? 
Hest Ine impact OF Lonaimional Access on a user wnen signing in unaer certain Select iaenuty type 
conditions. Learn more LED Workload identity 
User or Workload identity © 

adam Select 


adam 
Cloud apps, actions, or authentication context © 


Any cloud app 


IP address © Country © 
1344.66.77 United States v 


Device platform C 
Lios 


Client apps © 
| Browser Ww 


Device state (deprecated) 


| Select device state. v 
Sign-in risk C 

| Medium v 
User risk level C 

| Medium v 


Service principal risk (Preview) © 


| Select service principal risk. v 


FIGURE 2-39 Azure AD What If tool parameters. 


148 CHAPTER2 Implement an authentication and access management solution 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home Test AAD | Security > Security | Conditional Access > Conditional Access | Policies 


What If x 


Policies 


©) Info AP Gor feedback? 


Device state (deprecated) © 


| Select device state... 


Sign-in risk © 


| Medium v] 


User risk level © 


| Medium v 


Service principal risk (Preview) C 


| Select service principal risk... v 


Filter for devices Ç 


Property Value 


<Pick a property and operator fir... 


EZE ee) 


Evaluation result 
Policies that will apply Policies that will not apply 


| © Search 


Policy Name 7 Reasons why this policy will not apply Ty State Ty 


CA-REG-O01A Cloud apps Report-only 


FIGURE 2-40 Azure AD What If tool results. 


Licensing requirements 

The Azure AD conditional access feature requires an Azure AD Premium P1 license or Microsoft 

365 Business Premium license. Also, using risk-based signals like sign-in and user-risk requires 

the Identity Protection feature, which is available as part of the Azure AD Premium P2 license. 
If the Azure AD premium licensing required for working with conditional access is not avail- 

able, the message/banner shown in Figure 2-41 will be displayed. If a required license was held 

in the past but is no longer valid, the existing policies will be listed but cannot be modified. 
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teat Me O Search resources services, and docs (G+/) E 


Home > Default Directory | Security > Security | Conditional Access > Conditional Access 


s= Conditional Access | Policies x 


Azure Active Directory 


Refresh > Got feedback? 
© Overview (Preview) 
@ Create your own policies and target specific conditions like Cloud apps, Sign-in risk, and Device platforms with Azure AD _. 
Im Policies Premium 
% insights and reporting 


+ 
X Diagnose and solve problems Search policies "7 Add filters 2 out of 2 policies found 


Policy Name t4 State t4 Creation Date t4 Modified Date t4 
Manage 


MFA Policy Off 2/5/2022, 7:15:45 AM 3/26/2022, 6:11:47 PM 
Named locations 


MFA Test Policy off 2/5/2022, 124510 PM 3/26/2022, 6:11:51 PM 


J, Authentication context (Preview) 
Im Classic policies 
Monitoring 
D Sign-in logs 
E Audit logs 
Troubleshooting + Support 
FH Virtual assistant (Preview) 


D New support request > 


FIGURE 2-41 Azure AD Conditional Access licensing message. 


Furthermore, certain conditional access policy features, such as the risk-based conditions 
like user risk level and sign-in risk level, as shown in Figure 2-42, are only available when an 
Azure AD Premium 2 (P2) license is used because they require the Identity Protection feature. 


e T 2 Search resources, services, and docs (G+/) 


Home > Test AAD | Security > Security | Conditional Access > Conditional Access | Policies 


New x 


Conditional Access policy 


Control access based on Conditional Access Control access based on signals trom conditions 
policy to bring signals together, to make like risk, device platform, location, client apps, or 
decisions, and enforce organizational policies device state. Learn more 
Learn more 

Uter level 
Nome * i 


Example. ‘Device compliance app policy Not configured 


Sign-in risk level 
Assignments gn 
Not configured 
Users or workload identities © 
0 users or workload identities selected Device platiorms 
Not configured 
Cloud apps or actions 
Locations © 


No cloud apps, actions, or authentication 


contents selected Not configured 


Conditions © Cent apps 
Ó conditions selected Not configured 


Fiter for devic 
Access controls pi 5i 


Nat configured 
Grant ( 


0 controb selected 


Create 


FIGURE 2-42 Azure AD P2 license is required for risk-based conditions. 
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Deployment planning for conditional access policies 


Planning for Azure AD conditional access polices deployment is a critical step toward ensuring 
that users’ productivity is not negatively impacted while security posture is improved by the 
conditional access policies enforced. Table 2-11 shows various proven practices that should be 
taken into consideration while planning the conditional access deployment. 


TABLE 2-11 Azure AD conditional access deployment considerations 


Consideration 


Use report-only mode 


Configure break-glass accounts 


Avoid broad scope block-all 
policies 


Simulate policy execution using 
What If tool 


Rollback policy 


Description 


The report-only mode for conditional access policies enables you to view 
the results of real-time policy execution without enforcing the policy. This 
can be a very effective tool to evaluate the policies by reviewing the sign-in 
logs and gaining a better understanding of the impact of policies before 
enabling them in the production environment. 


Misconfigured conditional access policies may result in administrator ac- 
counts getting locked out from accessing critical applications, causing 
negative impacts on business continuity. To mitigate this issue, always 
configure multiple break-glass accounts. These accounts are then excluded 
from conditional access policies, hence enabling them to continue accessing 
the critical applications. 


Conditional access policies can be implemented in both fine-grain and 
coarse-gain fashion. It is recommended to be as precise as possible when 
defining the conditional access policy to avoid accidentally impacting a 
broader range of users than expected. 


The What If tool helps you test the conditional access policies by simulating 
user sign-in under various scenarios based on a combination of attributes 
such as user, application, location, and device platform. The result shows 
which conditional access policies would apply based on sign-in character- 
istics. Run the What-If tool before the actual deployment to understand 

the impact of the conditional access policies. Read more about the What If 
tool at https://docs.microsoft.com/en-us/azure/active-directory/conditional- 
access/what-if-tool. 


Azure AD allows three ways to roll back the conditional access policy: 
m Exclude the selected users and groups from policy 

E Disable the policy 

@ Delete the policy. 
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NOTE CONDITIONAL ACCESS AND SECURITY DEFAULTS 


Many organizations start with the security defaults feature, which provides a pre-baked 
coarse-grain set of security policies that serve well for organizations that have either lim- 
ited or no security posture management policies to begin with and need a starting point. 
However, for organizations with more mature security practices, fine-grain security is better 
aligned with their policy requirements. Both security defaults and conditional access cannot 
be enabled at the same time on an Azure AD tenant, so a choice must be made between 
them, which requires careful planning and consideration of costs associated with licens- 
ing, training, implementation, and help desk/support. It is also critical to avoid a full-scale 
rollout of conditional access policies without first running a minimum-viable product (MVP) 
program, which evaluates all the required conditional access policies in a report-only mode 
and then carefully evaluates the report at the end of MVP program. The results would reveal 
how many users will be impacted without applying or enforcing the policies. This is an im- 
portant step that will help both IT operations and the business to evaluate the rollout veloc- 
ity to improve the overall security posture while not jeopardizing the users’ productivity. 


Implement conditional access policy assignments 


The assignments section of conditional access policy determines who, what, and where the 
conditional access policy applies to. Following are key components of conditional access policy 
assignments: 


m Users and Group: Allows for the targeting of specific groups of users. For more infor- 
mation about users and group-based assignments in conditional access, please refer to 
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept- 
conditional-access-users-groups. 


= Directory Roles: Allows administrators to specify which Azure AD directory roles 
should be used to determine assignment. Organizations, for example, may impose 
stricter policies on users with the Global Administrator role. 


= Guests or external users: This option provides a variety of choices for targeting condi- 
tional access policies to specific guests or external user types, as well as specific tenants 
containing those types of users. 


= Cloud apps, actions, and authentication context: Administrators can assign controls 
to particular applications, actions, or authentication contexts using conditional access 
policies. Administrators can select from a list of applications that includes built-in Mi- 
crosoft applications as well as any Azure AD integrated applications, including gallery, 
non-gallery, and Application Proxy applications. Administrators can also define policy 
based on a user action rather than a cloud application, such as register security informa- 
tion or register or join devices, allowing conditional access to enforce controls around 
those actions. Finally, authentication context can be used by administrators to add an 
extra layer of security to applications. For more information about cloud apps, actions, 
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and authentication context, please refer to https://learn.microsoft.com/en-us/azure/ 
active-directory/conditional-access/concept-conditional-access-cloud-apps. 


Conditions: An administrator can use signals from conditions such as risk, device plat- 
form, or location to improve policy decisions within a conditional access policy. More 
information about conditions are available at https://learn.microsoft.com/en-us/azure/ 
active-directory/conditional-access/concept-conditional-access-conditions. 


This section will show you how to use various conditional access policy assignments to en- 
force Terms of Service (ToU). Please note that you will need an Azure AD P2 license to complete 
the tasks in this section. 


Enforce Terms of Use (ToU) using conditional access policy 


Organizations can use Azure AD Terms of Use (ToU) policies to convey information to end users 
in a simple way. This allows users to read essential disclaimers for legal or compliance needs. 


Follow the steps below to add a new Terms of Use, which you will use later in the conditional 
access policy: 


1. 
2. 


Sign in to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


Select Identity Governance located under the Manage section, as shown in Figure 2-43. 


Miorot Are 5 


w Contoso Corp | Overview 


+ ass Manage tenants ÒT] what's new T) Preview features BP Got teadmack 
© verniew 


Overview — Monitoring Tutorials 
OH Preview features 3 


X Diagnose and solve problems 


Manage 
Basic information 
Users 


& Groups Name Users 


Wl) External identities 


Å Roles and administrators 


Administrative units 
Licerse Azure AD Premium P2 Devices 
E Enterprise applicatons 


“es Alerts 
B App registrations 


A identity Governance & 


a Licenses 


Azure AD Connect My feed 
k Custom domain names 


Mobility (MDM and MAM) (ss) 3 
"s 


Password reset x i 
Secure score updates can take up to 48 hours 
I Company branding 


D User settings 


uoa 


FIGURE 2-43 Azure AD Identity Governance. 
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4. Select Terms of use from the left side pane, as shown in Figure 2-44. 


= Microsoft Azure 2 Search resources, services, and docs (G+/) 


Hame > Cantase Carp 


z7 Identity Governance 
G 


Re Got feedback? 
t? Gening stared 
Entitlement management Get started with Identity Governance 
E hice AR Manage digital identities securely and efficiently with Azure Active Directory (Azure AD) identity Governance. 
Catalogs Review the most common use cases and set of capabilities for your governance needs 


Ba Connected organizations 
Reports Uses External user lifecycle Group membership Role assignments Auditing and reporting 
24 Settings 


Access reviews: ni 
Control your external user lifecycle 


O Overview Manage the entire Mecycle of external users 
@ configure onboarding approval flows, set up regular 
È Access reviews access reviews, and remove extemal users when 
fe") theyre done collaborating, Remove guests from 
U) Programs groups and Teams, and even guest accounts from 
Azure AD 
Settings 
Review common use cases 
P Review History 


Privileged Identity Management 

Manage group membership 

Secure and enhance your organization's use of 

A, Azure resources group membership Make groups "sett-sennce,” and 
delegate approvats directly to business 


b Azure AD roles 


K d 
Terms of use o o decisionmakers For prinleged access groups, 
€ » enforce owner eligibaity with access reviews 
terns of use 
R a Review common use cases 
Activity 
Audi logs 


Troubleshooting © Support Protect resources with role assignments 
Require approvals and multifactor authentication to 


X Troubleshoot activate use of Azure AD and Azure resource roles. 


FIGURE 2-44 Terms of Use (ToU). 


5. Click New terms from the top pane. 


6. On the New terms of use page, fill in the following information. It should look like 

Figure 2-45. 

= Name: Employee Terms of Use Agreement 

= Terms of use document: Select any PDF document and upload, it since it is only 
going to be used for testing purposes. You can use the Microsoft SLA for test- 
ing purposes, which is available for download at https://download.microsoft.com/ 
download/2/C/8/2C8CAC17-FCE7-4F51-9556-4D77C7022DF5/MCA2017Agr_EMEA_ 
EU-EFTA_ENG_Sep20172_CR.pdf. 
m Language: Select English (or the language of your choice) from the dropdown menu. 


= Display Name: ToU. 
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= Require users to expand the terms of use: On (This will force users to read the 
entire document). 


= Require users to consent on every device: Off. 
= Expire consents: Off. 
= Duration before re-acceptance required (days): 60. 


= Enforce with conditional policy template: Create conditional access policy later. 


= Microsoft Azure P Search resources, services, and docs (G+/) 


Hama > identity Governance 


New terms of use 


Terms of use 


Create and upload documents 


Name * | Employee Terms of Use Agreement 


Terms of use document terms. pdf" 5 | English v |[ Tou 
tA age 


Require users to expand the terms of use 


Require users to consent on every device (On 


Expire consems n 


Duration before re-acceptance required | 60 7 
(days) 


Conditional access 


Enforce with conditional access policy Create conditional access policy later 
templates * 


© nis terms of use will appear in the grant control ist when creating a conditional access policy 


k 
FIGURE 2-45 New Terms of Use. 


Follow the steps below to create a new conditional access policy and enforce the Terms of 
Use (ToU) before users can sign in to the Azure portal. 


1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select Security from the left side pane. 


4. Select Conditional Access from the left side pane, as shown in Figure 2-46. 
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Microsoft Arure 


5. 


Homo > Contoso Corp 


@ Security | Getting started x 


"| Getting stated 
Protect 
© Conditional Access k 


& density Protection 
O Security Center 


E Verifiable crederniats (Preview) 


Manage 
P Identity Secure Score 
» Named locations 


> Authentication methods 


gma 


i 


p 


Risky users 

Risky workload identities 
Risky sign-ins 

Fisk detections 


> 0p 


Troubleshooting + Suppart 


D New support request 


f cacurectaton 


Azure Active Directory offers a range of security features to protect your ceqanization To learn more, hare are soma features te start with 


Azure AD Conditional Access 


Azure AD Identity Protection 


Arure Seoutity Cantor 


Named locations 


. 
. 

. 

© identity Secure Score 
. 

© Authendcation methodi 
. 


Multi Factor Authentication (MFA) 


(i) Security guidance 


For a strong security posture. we recommend the following. 


5 steps tn secure your entity infrastructure 


Azure AD Data Security Whitepaper 


. 
© Azure AD Password Guidance 
© How Password Hash Syne (PHS) wories 


[> Deployment guides 


To deploy the above features in your organization, check out Azure AD deployment plans 


FIGURE 2-46 Conditional Access. 


Microsoft Azure 


Click + New policy and then select Create new policy as shown Figure 2-47. 
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Home > Contoso Corp > Security > Conditional Access 
¿= Conditional Access | Policies x 
Azure Active Directory 
+ New paley ~ O Whati & Gor feedback? 
© Overview Preview) ea í 


1 Pobes 
@ Insights and reporting 
X Diagnose and solve problems 
Manage 
++ Named locations 
E) Custom controls (Preview) 
E Terms of use 
D VPN connectivity 
à Authenbcaton context (Preview) 
IE Classic polices 
Monitoring 
D Sign-in logs 
E Auct logs 
Troubleshooting + Support 
{Virtual assistant (Preview) 


À New suppor request 


Create new policy trom templates (Preview) 


ores access requirements when specie conditions occur Let's take a fow examples 


Conditions Controls 
When any user outside the company network Theyre requiced ta sign in with multi tarte authenticarion 
When users in the Managers group signin They are required be on an intane comesbant or domain-joined device 


Want to leam more about Conditional Access? 


Get started 


© Create your first policy by clicking “+ New policy” 
© Specify policy Conditions and Controis 
© When you are done. don't forget to Enable policy and Create 


Interested in common scenanos? 


FIGURE 2-47 Create new policy. 
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6. 


7. 


On the New Conditional Access policy page, enter Enforce-ToU for the Name, as 
shown in Figure 2-48. 


= Microsoft Azure P Search resources, services, and docs (G+/) 


Hame > Cantase Carp > Security > Conditional Access 


New 


Comrol access based on Conditional Access 
policy to bring signats tagether, to make 
decisions, and enforce organizational policies. 
learn more 


Name * 
Enforce-TOU 


Assignments 


Users or workload derttir 


O users of workload identities selected 


Goud apps or actions 


Access contro 


Grant 


Enable policy 
Report-only on off 


Create 


FIGURE 2-48 New Conditional Access policy. 


Expand Users or workload identities and then set following information options. 
The result should look like Figure 2-49. 


m What does this policy apply to: Users and groups. 
m Include: All users. 


m Exclude: Select the Global administrator role from the Directory roles drop- 
down menu. 
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Microsoft Azure 


Home 


New 


M Accon poty 


Cornrot access based on Condnicnal Access 
policy to bring sanais topether, to make 
decison, and enforce cepanzencnal peiors 
Leam mere 

Name * 

(Enie TOU 


Assignments 


Users oe wordas identities © 


Security > Conditional Access 


Control sevens bared on who the policy Wil 
apply to. such as wien and groups. workload 
WGennivies, directory roles, of external quests 
What does this policy apply to? 

User and groups 


Bincude © Exclude 


Select the Users and groups to memet tom 


the policy 


Al users included and specific users excluded AA quest and external vases 


Cloud apps of acbont E Ovrectory roles 


No Goud apps, scons, of authentication 
Contents večer tes Gobel administrator 


Conditions Users and groups 


J conaitions selected X 


Access controls 


FIGURE 2-49 Users or workload identities. 


Expand Cloud apps or actions and then set the following information options. The 
result should look like Figure 2-50. 


m Select what this policy applies to: Cloud apps. 
m Include: Click Select apps and then search for and choose My Apps. 


Microsoft Azure 


Conditional Access 


Home > Contoso Comp > Security 


New 


Consneng Acces peticy 


Control access based on Conditional Access 
peticy to bring signals together, to make 
decinons, and enforce cepanizanional polices 


Control access based en all or specific coud 
apps OF ations. Learn more 


teams Select whan this policy appiies to 
Coed apps 
Name * 
Triforce TOU incude  Bxlude 
Assignments O None 
Users oe wekeioad identins O M doud apps 3 
Ali users induded and specific users exchuded S) Select apps 
Cloud apps or actors © 
Select 
1 app incised 
My Apps 
Conditions 


My Apps 
I7VIWe 076-407 samea 


O congitions selected 


Access controls 


Geant 
0 contr ed 
Sesan 

0 controte valected 
Enable policy 


CD o o 


FIGURE 2-50 Cloud apps or actions. 
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10. 
11. 


Implement conditional access policy controls 


Expand Grant, set the following information options, and then click Select. The result 


should look like Figure 2-51. 
= Grant access: Employee Terms of Use Agreement. 


= For multiple controls: Require all the selected controls. 


= Microsoft Aure 


Hame > Conditional Access 


New 


anditians Access policy 


Control access based on Conditional Access 
ng ther, to make 
tional policies. 


Name * 


Enforce-TOU ‘| 


Assignments 


Users or workload identmes 


All users included and specific users excluded 


Cloud apps or actions 


1 ape ded 


Conditions 


ditions selected 


Access controls 


Gan © 


O controls selected 


Session 


Enable poticy 
CD o o 


Grant 


Control access enforcement to block or 
grant access. Learn more 


O Block access 


©) Grant access 


[C] Require muttitactor authentication 
[C] Require device to be marked as 
compliant 


[C] Require Hybrid Azure AD joined 
device 


(L) Require approved cient app 
we lst at appraved chent apps 
(C) Require app protection policy 
See lit of policy protected client 
apps 


C Require password change 


E Employee Terms of Use Agreement 


For multiple controls 


©) Require all the selected controls 


C) Require one of the selected controls 


FIGURE 2-51 Grant options. 


Set Enable policy to On. 


Click Create. 


The access control section of the conditional access policy determines how the conditional access 
policy is enforced. Following are key components of the conditional access policy access control: 


m Grant: The access control option can be used to allow or deny access to the resource. 
Learn more about Grant control at https://learn.microsoft.com/en-us/azure/active-direc- 


tory/conditional-access/concept-conditional-access-grant. 


Session: Administrators can use session controls to provide limited experiences within 
specific cloud applications. Learn more about session control at https://learn.microsoft.com/ 
en-us/azure/active-directory/conditional-access/concept-conditional-access-session. 
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This section will show you how to implement conditional access policy access control to 
deny access to a resource based on the sign-in risk. Please note that you will need an Azure AD 
P2 license to complete the tasks in this section. 


Enforce MFA using the sign-in risk signal with conditional access policy 


Follow the steps below to create a conditional access policy that uses the sign-in risk signal to 
enforce MFA for granting access to a cloud application. 


10. 


11. 
12. 


Sign in to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


Select Security from the left side pane. 

Select Conditional Access from left side pane, as shown in Figure 2-46. 
Click + New policy and then select Create new policy. 

On the New conditional access page, enter CA-SignIn for the Name. 


Expand Users or workload identities and then set the following information options. 
The result should look like Figure 2-49. 


m What does this policy apply to: Users and groups. 
= Include: All users. 
m Exclude: Select the Global administrator role from the Directory roles dropdown menu. 
Expand Cloud apps or actions and then set the following information options. 
= Select what this policy applies to: Cloud apps. 
m Include: All Cloud Apps. 
Expand Conditions, select Sign-In risk, and set the following information options: 
= Set Configure to Yes. 
m Select the sign-in risk level this policy will apply to: 
m High 
= Medium 
m Low 
m Press Done to save your choices. 
Expand Grant, set the following information options, and then click Select. 
m Block access 
= For multiple controls: Keep the default option. 
Set Enable policy to On. 
Click Create. 
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Test and troubleshoot conditional access policies 


In this section, you will learn how to test the previously created conditional access policies, 
as well as how to troubleshoot them. 


Test conditional access policy to enforce Terms of Use (ToU) 


The steps below show how to test a conditional access policy to enforce the Terms of Use (ToU) 
that you created earlier: 
1. Sign in to the My Apps portal, Attps://myapps.microsoft.com/ with a user account that 
does not have a Global Administrator role assigned and has not read and accepted the 
Terms of Service (ToU). 
2. Expand the Terms of Use (ToU), and then select Accept, as shown in Figure 2-52. 
You must review the entire terms of use document by scrolling through it before you 
can accept it. 


B® Microsoft 


Contoso Corp Terms of Use 
In order to access Contoso Corp resource(s), you must read the Terms of Use. 


ToU > 


Please click Accept to confirm that you have read and understood the terms of use. 


oe 


FIGURE 2-52 Terms of Use (ToU). 


The sign-in process will complete, and the browser will redirect to My Apps Portal. 


You have successfully tested the conditional access policy that enforces the Terms of Use 
(ToU) before the user can access the resource. 
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Test Enforce MFA using the sign-in risk signal with the conditional 
access policy 


The Tor Browser (https://vww.torproject.org/) is required to complete the steps below in order 
to simulate sign-in risk and test the conditional policy. If your organization prohibits the use of 
the Tor browser, you may need to install it on a virtual machine. 


1. Launch the Tor browser. 


2. Signin to the Azure portal, https://portal.azure.com, with a user account that does not 
have a Global Administrator role assigned. 


Due to the high sign-in risk posed by the use of the anonymizer proxy Tor, user access 
will be blocked, and a message will display, as shown in Figure 2-53. 


Microsoft Azure 


BE Microsoft 


You cannot access this right 
now 

Your sign-in was successful but does not meet the 
criteria to access this resource. For example, you 
might be signing in from a browser, app, or location 
that is restricted by your admin. 

Sign out and sign in with a different account 


More details 


Terms ot use Privacy & cookies s.. 


FIGURE 2-53 Sign-In blocked due to high risk. 
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Troubleshooting conditional access policy 
When a conditional access policy is imposed, the user is given an explanation, as shown in 
Figure 2-53. This provides users with just enough information to understand why the policy is 
behaving as it does, but IT administrators may need more information to troubleshoot. 

More information can be gathered to begin troubleshooting by expanding the More details 
option, as shown in Figure 2-54, which provides critical information useful for troubleshooting. 


You cannot access this right 
now & 


Your sign-in was successful but does not meet the 
criteria to access this resource. For example, you 
might be signing in from a browser, app, or location 
that is restricted by your admin. 


Sign out and sign in with a different account 


More details 


Troubleshooting details x 
Hf you contact your administrator, send this info to them. 
Copy info to clipboard 


Error Code: 53003 

Request Id: 9421e1de-ac43-47a3-857a-2a9d8b096a00 
Correlation Id: 105877aa-d614-4818-ad6a-ede8aa80d811 
Timestamp: 2022-05-14T03-23:48.2032 

App name: Azure Portal 

App id: c44b4083-3bb0-49c 1-b47d-974e53cbdt3c 

IP address: 104.244.77.73 

Device identifier: Not available 

Device platform: macOS 

Device state: Unregistered 


Flag sign-in errors for review: Enable flagging 

if you pian on getting help for this problem, enable flagging 
and try to reproduce the error within 20 minutes. Flagged 
events make diagnostics available and are raised to admin 
attention. 


FIGURE 2-54 Troubleshooting details. 


Administrators can further troubleshoot the issue by searching the Sign-In logs for Correla- 
tion ID, Timestamp, and other attributes available to them, as shown in Figure 2-54. To access 
the Sign-In logs and troubleshoot, follow these steps: 


1. Signin to the Azure portal, https://portal.azure.com, with a user account that has the Global 
Administrator role assigned to it or has the necessary permissions to view the Sign-In logs. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select Sign-In logs located under the Monitoring section. 


4. The Sign-In logs are displayed in chronological order, as shown in Figure 2-55. You can 
filter based on Correlation Id or other information. 
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FIGURE 2-55 Sign-In logs. 


Select the Sign-In log entry with Failure and matching Correlation ID from the informa- 
tion collected earlier. As shown in Figure 2-56, the Failure reason, Additional details, and 
Sign-In error code provide useful information for troubleshooting. 


Microsoft Arue Pa aaia and docs G/) a 
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E Custer security attributes Date Syed 12043 PM 
Preven 
Owa ugno 94210 100-043-4783-8578-209480076300 
å ieme 
Conietution © DOSSI Pas -2614-4818- ade edettassosrt 
D Azure AD Connect Oetex§ 
Authentication requirement Single factor authentication 
El Custom domain names User sige 
m status Fave 
D Mobsty MOM and MAM) 
Osto Continuo access evaluation No 
Password reset 
NIIA Sign-in error code 52003 
H Company banding 
Sna. Failure reason ‘Access has been bioched by Conditional Access policies The access policy Goes not atow token issuance. 
User sertings 
a SINA — Adsionsl Detats If this is unexpected, see the conditional accen policy that appted to tha request i the Azure Portal 
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FIGURE 2-56 Activity Details for Sign-ins. 


You may now close the browser. 
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Implement session management 


Organizations frequently need to restrict sessions when dealing with scenarios involving 


corporate resources accessed from unmanaged or shared devices, as well as access to sensitive 


business data from external networks. To constrain the authentication session, administrators 
can use conditional access to create policies that target session management scenarios within 
organizations. Table 2-12 lists session management controls that an administrator can use to 
implement through conditional access policy to constrain the experiences within specified 


cloud applications. 


TABLE 2-12 Azure AD session controls options for conditional access 


Option 


Conditional access application control 


Sign-in frequency 


Persistent browser session 


Customize continuous access evaluation 


Disable resilience defaults (Preview) 


Description 


The conditional access policy can be configured to use Conditional 
Access App Control to monitor and control user application access 
and sessions in real time based on access and session policies 
defined in Microsoft Defender for Cloud. More information on 
Conditional Access application control can be found at: https://docs. 
microsoft.com/en-us/defender-cloud-apps/proxy-deployment-aad. 


Sign-in frequency specifies how long a user must wait before 

being asked to sign in again when attempting to access a resource. 
Administrators can set a time limit (hours or days) or require 
reauthentication every time. Please note that the sign-in frequency 
setting is only applicable to apps that have implemented the 
OAUTH2 or OIDC protocols. More information on sign-in frequency 
can be found at https://docs.microsoft.com/en-us/azure/active- 
directory/conditional-access/howto-conditional-access-session- 
lifetime#user-sign-in-frequency. 


Persistent browser session allows user to stay signed in after closing 
and reopening their browser. More information on Persistent 
browser session can be found at https://docs.microsoft.com/en-us/ 
azure/active-directory/conditional-access/howto-conditional- 
access-session-lifetime#persistence-of-browsing-sessions. 


The customized continuous access evaluation configuration in 

the conditional access policy enables organizations to disable 
continuous access evaluation, which is enabled by default. More 
information on customizing continuous access evaluation can be 
found at https://docs.microsoft.com/en-us/azure/active-directory/ 
conditional-access/concept-continuous-access-evaluation. 


When the disable resilience defaults option is enabled, access 

to resources is disabled when existing sessions expire. More 
information on disable resilience defaults can be found at https:// 
docs.microsoft.com/en-us/azure/active-directory/conditional- 
access/resilience-defaults. 


Implement device-enforcement restrictions 


Conditional access policies can use the information returned from devices with Microsoft In- 
tune installed to assess organization compliance requirements and grant or deny access to an 


organizational resource. For example, if access control is set to “Require device to be marked as 
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compliant,” the conditional access policy will use that compliance status to determine whether 
to grant or deny access to email and other organizational resources. 


The steps below demonstrate how to create a conditional access policy that requires users 
to use an approved client app or an app protection policy when accessing corporate cloud 
apps from a personal device running iOS or Android. 


1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select Security from the left side pane. 
4. Select Conditional Access from the left side pane, as shown in Figure 2-46. 
5. Click + New policy and then select Create new policy. 
6. Onthe New conditional access page, enter CA-DeviceCompliancePolicy for the Name. 
7. Expand Users or workload identities and then set the following information options. 
= What does this policy apply to: Users and groups. 
m Include: All users. 
m Exclude: Select the Global administrator role from the Directory roles dropdown menu. 
8. Expand Cloud apps or actions and then set the following information options. 
= Select what this policy applies to: Cloud apps 
= Include: All Cloud Apps 
9. Expand Conditions, select Device platforms, and set the following information options: 
m Set Configure to Yes. 
= Select the device platforms: 
= iOS 
= Android 
m Press Done to save your choices. 
10. Expand Grant, set the following information options, and then click Select. 


m Grant access and then select the checkboxes for Require approved client app and 
Require app protection policy. 


= For multiple controls: Require all the selected controls. 
11. Set Enable policy to On. 
12. Click Create. 


Read more about device enforcement using conditional access at https://learn.microsoft. 
com/en-us/mem/intune/protect/conditional-access-intune-common-ways-use#device-based- 
conditional-access. 
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Implement continuous access evaluation 


Continuous Access Evaluation (CAE) is an Azure AD feature that allows organizations to 
respond to policy violations or security issues in near real time. It allows the communication 
between the token issuer, which is Azure AD, and the relying party, which is the client applica- 
tion making the request for token issuance. This two-way conversation enables the relying 
party to detect changes in properties, such as network location, and notify the token issuer. It 
also allows the token issuer to notify the relying party to stop respecting tokens for a specific 
user due to account compromise, disablement, or other issues. 


Continuous access evaluation automatically creates a conditional access policy when it 
is enabled. However, a conditional access policy can be customized to disable continuous 
access evaluation as needed. Read more about continuous access evaluation and conditional 
access at https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept- 
conditional-access-session#customize-continuous-access-evaluation. 


Create a conditional access policy from a template 


Conditional access policy templates are intended to make it easier for administrators to imple- 
ment new policies that adhere to Microsoft security recommendations. These templates are 
intended to provide maximum protection while adhering to commonly used policies across a 
wide range of customer types and locations. 


Follow the steps below to create a conditional access policy from a template that will 
enforce multifactor authentication for admins. 


1. Signin to the Azure portal, https://portal.azure.com, using a Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select Security from the left side pane. 

4. Select Conditional Access from the left side pane, as shown in Figure 2-46. 

5. Click + New policy from template (preview). 

6. Select Identities from template category and press the Next button. 

7. Select Require multifactor authentication for admins and press the Next button. 


8. Press the Create Policy button. 
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Skill 2.4: Manage Azure AD Identity Protection 


Azure AD Identity Protection (AADIP) is the crown jewel in Microsoft's Identity Security offer- 
ing and can be fully leveraged with an Azure AD P2 license (or equivalent). Microsoft analyzes 
6.5 trillion signals per day from internal and partner sources to identify and protect customers 
from threats. Identity Protection signals can be fed into tools like Conditional Access to make 
access decisions, or they can be fed back to a security information and event management 
(SIEM) tool for further investigation based on organization's needs. 


This skill covers how to: 

= Implement and manage a user risk policy 

= Implement and manage sign-in risk policy 

= Implement and manage MFA registration policy 

= Monitor, investigate, and remediate elevated risky users 


= Implement security for workload identities 


Implement and manage a user risk policy 


Identity Protection can evaluate what it recognizes to be usual behavior for a user and use that 
knowledge to form risk calculations. Calculation of the likelihood that an identity has been 
compromised is known as user risk. Users can self-remediate if a risk is discovered by executing 
a self-service password reset and dismissing the user risk event to avoid causing unnecessary 
noise for administrators. 


) EXAM TIP 

Azure AD Identity Protection as a feature and service is already deployed in your tenant, 
irrespective of your licensing status, and has been detecting risk since the inception of the 
tenant. Risk remediation involves configuration of risk policies (user/sign-in/workload) or 
performing manual remediation (UX/API). 


Licensing requirements 


Microsoft offers two flavors of premium licensing: P1 and P2. Aside from any additional licens- 
ing for workload identities, the Identity Protection feature set is divided up across these license 
options, as shown in Figure 2-57. 
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CAPAPABILITY 


DETAILS 


AZURE AD FREE/ 
MICROSOFT 365 APPS 


AZURE AD 
PREMIUM P2 


Risk policies 


Risk policies 


Security reports 


Security reports 


Security reports 


Security reports 


Notifications 


Notifications 


User risk policy (via 
Identity Protection) 


Sign-in risk policy (via 
Identity Protection or 
Conditional Access) 


Overview 


Risky users 


Risky sign-ins 


Risk detections 

Users at risk detected 
alerts 

Weekly digest 


MFA registration 
policy 


FIGURE 2-57 AADIP Licensing details. 


No 


Limited Information. 
Only users with me- 
dium and high risk 
are shown. No details 
drawer or risk history. 


Limited Information. 
No risk detail or risk 
level is shown. 


No 


AZURE AD 
PREMIUM P1 
No 
No 
No 


Limited Information. 
Only users with me- 
dium and high risk 
are shown. No details 
drawer or risk history. 


Limited Information. 
No risk detail or risk 
level is shown. 


Limited Information. 
No details drawer. 


Yes 


Yes 


Yes 


Full access 


Full access 


Full access 


Yes 


Yes 


Yes 


As shown in Figure 2-57, P2 licensing contains all the bells and whistles, including: 


m The ability to remediate risk by end-users through risk remediation policies. 


m The ability to monitor risk and view details of the risk detected and remediated. 


m Stream into your existing framework, Security Information and Event Management 
(SIEM), for threat and incident response by using Microsoft's extensible Graph APIs. 


Throughout this skill, we will assume P2 licensing on the tenant to understand the full depth 
of concepts and capabilities. 


Prerequisites 


Configuring Identity Protection requires the administrator to assume one of the following roles 
depending on the action needed to be taken within the Identity Protection blade: 


m Global Administrator—giving them complete access to AADIP 


m Security Administrator—allowing them everything a global administrator (GA) can do 


except reset a user's password 


m Security Operator—allowing access to Identity Protection reports and alerts 


m Security Reader—allowing access to Identity Protection reports and read-only access to 
alerts configuration 
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Configure user risk security policy 


Azure AD Identity Protection offers native options to remediate risk within the Identity Protec- 
tion blade. These are called Security Policies (also called IPC policies, where IPC stands for 
Identity Protection Center), and these are great for enabling end user risk remediation quickly 
and easily in your tenant. 
To configure a user risk security policy: 
1. Browse to portal.azure.com > sign-in > Azure Active Directory > Security > 
Conditional Access > New policy. 


2. Choose a user/group to be included in the policy, as shown in Figure 2-58. 


Microsoft Azure AP Search resources, services, and docs (G+/) 


2 Identity Protection | User risk policy 


Search (Ctrl 
Policy Name Include = Exclude 
= O vernnew User rise remediation policy 


Select the users and groups to include in this 
X Diagnose and solve problems a 7 hits goe 
Assignments policy 


i] e O A, 
Protect D Users 
(a) ©) Select individuals and groups 
Å User risk policy 1 user included and 6 users, 2 groups 
® erduded P 
Selec pers and groups 


Sign-in risk policy 
& User nsk 
© MFA registration policy 


1] 
PER Sam Burton 
s ek samiburton@woodgrove.ms 


Ša Risky users 


ma Risky workload identities 


a: 
9) Risky sign-ins 


paes A Risk detect 


5 at risk detected alerts 


E weekly digest 
Troubleshooting + support 


@ Virtual assistant (Preview) 


X iroubles 


oot 


B New support request 


@ 2 users included or excluded in this policy have been deleted trom the dwectory, but this doesn't attect the other u 


Enforce policy 


FIGURE 2-58 User risk security policy. 


3. Select the risk levels that you'd like to trigger end-user risk remediation for. Microsoft 
recommends setting up the policy for High user risk to have a good balance between se- 
curity and productivity. Setting up a policy for all levels of risk might trigger too many re- 
quests to change the password, leading to more predictable and less random passwords. 


4. You can set the Grant Control to either Block or Allow access requiring MFA. 
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5. Remember to select Enforce policy before selecting Save. 
As you can see, security policies don’t give us options to apply remediation with any 
sort of useful granular control. Therefore, risk remediation via Conditional Access was 
developed. 

EXAM TIP 


Currently, user risk is remediable only with a “secure password change.” Secure pass- 


word change is a password change process that is protected through MFA. Also, using 


Ctrl+Alt+Del and changing one’s password on a Windows lock screen will change the syn- 


chronized password to the cloud but will not remediate risk. 


Configure risk-based conditional access user risk policy 


The advantage of configuring risk-based conditional access policies is the granular control it 
offers in both Condition Control as well as Grant Control. You can also combine Session Con- 
trols with the Grant Controls. You may create multiple policies for each sign-in risk and/or user 


risk, for different risk levels and scoping different users, applications, locations, etc. If mul- 


tiple sign-in risk policies conflict with each other, the most stringent action will be taken from 


among the two Condition Controls. 


To configure a user risk remediation conditional access policy: 


Browse to portal.azure.com > sign-in > Azure Active Directory > Security > Con- 
ditional Access > New policy. 


Choose a user/group to be included in the policy. 


For user risk remediation CA policies, it is recommended to choose All cloud apps as 
the applications you want access to be monitored for risk remediation. 


Under Conditions, shift the Configure slider to Yes and choose User risk. Then choose 
the levels of risk to be targeted for end-user remediation. Microsoft recommends set- 
ting the policy for High user risk. 


You can combine multiple condition controls (except sign-in risk) with the user risk 
condition control to lend granularity to your risk remediation scope. 


You can get creative with your Grant Controls by combining them. For example, as 
shown in Figure 2-59, you can see how user risk can be remediated in combination 
with forcing another action on the user: The default grant control that must be chosen 
is Require Password Change. This is the only grant control that remediates risk on a 
user. Here, you will see a note that says that this grant action is allowed when policy 

is assigned to All cloud apps, which is why user risk policies are recommended to be 
applied to all cloud apps, above. 
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FIGURE 2-59 CA user risk policy. 


7. Press Select. 


8. Finally, Press Create. 


Q EXAM TIP 


It is not recommended to have both security policies as well as conditional access risk policies 
enabled simultaneously for risk remediation. This causes conflicts, results in unpredictable 
outcomes, and is generally a recipe for troubleshooting nightmares for your ID-SOC team. 


Grant 


Control access enforcement to block or 
grant access. Learn more 


© > Block access 


(©) Grant access 


Require multi-factor 
authentication 


Require device to be 
marked əs compliant 


Require Hybrid Azure AD 
Joined device 


re approved clic 


E Require password change © 


A “Require password change” 
can only be used when policy 
is assigned to “All cloud apps* 


Duo Mfa 
StlvertonMFA 


Woodgrove - Security Training 
Required 


Woodgrove - Partners 


Woodgrove - Guest Users 


Implement and manage sign-in risk policy 


Sign-in risk is remediable provided it is real-time sign-in risk with MFA. All other sign-in risk 
detections are offline, accrued after the sign-in takes place and therefore contribute to user 
risk. A sign-in risk remediation policy therefore cannot, post-hoc, remediate risk accrued after 
the sign-in takes place. User risk CA policies therefore help with the mitigation of accrued 


offline sign-in risk. 
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Configure sign-in risk security policy 


To create a sign-in risk security policy: 


2. 
3. 


5. 
6. 


Browse to portal.azure.com > sign-in > Azure Active Directory > Security > 


Identity Protection. 


Select Sign-in risk policy, as shown in Figure 2-60. 


Choose a user/group to be included in the policy. 


Microsoft Azure # Scorch resources, services, and docs (G+/) 


Home N darove > Securit 


Ge @ 


. 


oo 8 


Identity Protection | Sign-in risk policy 


Search (Ctri¢/ 
O creniow 
X Diagnose and solve problems 
Protect 
Â User risk policy 

Sign in risk policy 


© MFA registration policy 


Report 


ge 


Risky users 


Risky workload identities 


9p 


Risky sign-ins 

Ad Risk detections 

Notify 

BD Users at risk detected alerts 
©) Weekly digest 
Troubleshooting + Support 
$F Virtual assistant (Preview) 
A Troubleshoot 


Â New support request 


Policy Name 


Sign-in risk remediation policy 


Assignments 


Ò Users 


1 user included and 2 groups excluded 


O Sign inrisk © 


Controls 


It accass © 


Require multi-factor authentication 


Entorco policy 


arm o 


Include Exclude 


policy 
O All users 


(©) Select individuals and groups 


he users and groups to inclure in this 


Selected users and groups 


1 user 


Sam Burton 
samiburtongwoodgrove ms 


FIGURE 2-60 Sign-in risk security policy. 


Select the risk levels that you'd like to trigger end-user risk remediation for. Microsoft 
recommends setting the policy for Medium and High sign-in risk to have a good bal- 
ance between security and productivity. Setting up a policy for all levels of risk might 
trigger MFA fatigue or accidental approvals. 


You can set the Grant Control to either Block or Allow access requiring MFA. 


Remember to select Enforce policy before selecting Save. 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Skill 2.4: Manage Azure AD Identity Protection 


CHAPTER 2 


173 


( ) EXAM TIP 
- It is good practice to exclude your break-glass accounts/groups from risk-based policy. Ide- 
ally, your break-glass accounts should have Grant Control set to Block access to all resources 
except management portals such as the Azure portal. 


Sign-in risk CA policy 
To configure a sign-in risk conditional access policy: 


1. Browse to portal.azure.com > sign-in > Azure Active Directory > Security > Con- 
ditional Access > New policy. 


2. Choose a user/group to be included in the policy. 
3. Choose the applications you want access to be monitored for risk remediation. 


4. Under Conditions, shift the Configure slider to Yes and choose Sign-in risk. Then 
choose the levels of risk to be targeted for end-user remediation. Microsoft recom- 
mends setting up the policy for Medium and High sign-in risk. 


5. Set the Grant access to Require multi-factor authentication. 
6. Finally, select Create. 


Note the following regarding choosing custom controls as a grant control with risk-based 
conditional access. Although this can be chosen as a grant control action, this does not remedi- 
ate risk on the sign-in. If a sign-in risk based conditional access policy is configured with cus- 
tom controls as a grant option, the end-user will be prompted for the relevant custom control 
when attempting a risky sign-in, and if the control challenge, multifactor authentication (MFA), 
is satisfied, the end user will be granted access but the risk on the sign-in will not have been 
mitigated. The reason is because custom controls as designed today don’t apply an MFA claim 
on the issued refresh token. All it does is provide a binary signal of Satisfied/Not Satisfied to 
the conditional access engine. Since there is no MFA claim issued on the refresh token, Identity 
Protection does not recognize it as a valid remediation action. Also, a third-party IdP (Identity 
Provider) federated with Azure AD will issue an MFA claim (if the third-party IdP is configured 
to do MFA) on the token it issues to Azure AD. Therefore, in such a case, Identity Protection 
respects the completed MFA and remediates risk provided that conditional access policy is set 
with grant control and requires MFA where MFA is completed through the federated IdP. 


AADIP and B2B 
The Azure AD ecosystem classifies B2B users into many types: 


m An Azure AD B2B user is defined as an identity using their organizational credentials in 
one Azure AD tenant to access resources in another Azure AD tenant. 


m There are B2B users using Microsoft (MSA) personal accounts like Hotmail, Outlook, etc. 


= There may also be B2B users hosted in non-Azure AD/vendor tenants. 
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m There is the scenario where B2B users are homed in non-Microsoft personal accounts 
from popular vendors like Gmail, Yahoo!, etc. 


m And finally, there are accounts hosted on third-party on-premises identity systems. 
There are a couple of principles to note when considering protection of B2B users using risk 
remediation policies: 
m Identity Protection is officially supported for Azure AD B2B users only. 
m Sign-in risk for an Azure AD B2B user is considered a property native to the resource 
tenant that the B2B user is attempting to access. 


m User risk for an Azure AD B2B user is considered a property of the user, and hence native 
to the home tenant that the B2B user belongs to. 

This brings about curious behaviors that one must keep in mind when deploying risk reme- 
diation policies for Azure AD B2B guest users: 

m IfanAzure AD B2B guest user develops sign-in risk while accessing a resource not in the 
home tenant, they will be prompted for MFA in the resource tenant and will be able to 
remediate risk through authentication methods registered either in the home tenant or 
in the resource tenant. 


m The risky sign-in is visible in the home tenant as well as the guest tenant. 


Implement and manage MFA registration policy 


Using MFA reduces the adversarial attack surface on identities. Microsoft's MFA registration 
policy makes it simple for you to enroll your users in MFA. You can also gradually introduce it to 
your users by grouping them and configuring the group in the MFA registration policy. Scoped 
users will have a 14-day registration period that begins when they sign in interactively the next 
time. Users can continue to postpone registration for 14 days. The user must complete MFA regis- 
tration at the end of the 14-day period before they can complete their sign-in process. 


Configuration steps 


Configuration can be a bit confusing, since Azure Active Directory has a separate MFA blade 
under Security. But the MFA registration policy is actually available for configuration in the 
Identity Protection blade. 


1. Browse to portal.azure.com > sign-in > Azure Active Directory > Security > Iden- 
tity Protection > MFA registration policy. 


2. Choose the users and groups to be scoped for MFA registration. You can also set exclu- 
sions by user or group. 


3. You have one compulsory control checkbox: Require Azure AD MFA registration. 
m Slide the Enforce policy slider to On. 


m Select Save. 
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Deployment considerations 
Some deployment considerations to note: 
m The MFA registration policy is a P2 offering. 
= This feature is different from what is offered under portal.azure.com > sign-in > 
Azure Active Directory > Authentication Methods > Registration Campaign, pop- 
ularly known as the “Nudge” feature. The registration campaign “nudges” a user without 
a deadline to onboard to a stronger authentication method, like the Authenticator app. 
This is therefore a feature complementary to the MFA registration policy. 


m The registration campaign offering is a P1 offering. 


Monitor, investigate, and remediate elevated risky users 


The true value of Identity Protection is gleaned from the thorough understanding of how risk 
is presented against users, sign-ins, and workload identities in a tenant. These are available 
through UX tools like the Risk Reports, via API, and also through streaming data options to 
your SIEM (Security Information and Event Management) tool of choice. 


Understanding risk reports 
Identity Protection offers three reports for three entity-level triage views of risk seen on 
the tenant: 

m Risky Users report 

m Risky Sign-ins report 

m Risky Detections report 

Each of these reports can be viewed in the Azure portal by browsing to Azure Active 
Directory > Security > Identity Protection. The report allows for data export via CSV/JSON 
format. General functions like searching/sorting by any column is available as standard. By 


default, the risk reports are filtered (to optimize page load times). Be sure to remove all filters 
depending on the needs of your investigation. 


Q EXAM TIP 
The risk reports have different log-rotation periods. The Risky Users report tracks risky us- 
ers since the beginning of time (from the perspective of tenant inception). The Risky Sign-in 
report tracks with the log rotation period of the sign-in logs (30 days). The Risk Detections 
report has a log-rotation period of 90 days. 
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Risky Users report 


The Risky Users report is a table of all the risky users in your tenant. By default, it is filtered for 
all active users that are risky. Look at the various options the report offers for triaging risky us- 
ers, as shown in Figure 2-61. 
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O Security Conter o At enk Hagh 4/12/2022. 113601 AM 
Q Continuous access evatuation Rermediated User performed secured passwor 3/15/2022 351.48 AM 
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D Risky gris M risk Medium 11/9/2021, 92034 AM 


AL Risk detections 


Troubleshooting + Support 


À New support request 


FIGURE 2-61 The Risky Users report. 


= Risk State: This depicts the current risk state of the user. It can take the following values: 
m At Risk (determined to be still risky) 


= Confirm Compromised (a special type of “at risk” state to denote that the adminis- 
trator determined the user risky) 


= Remediated (determined to be no longer at risk, remedied by end user secure pass- 
word change) 


m Dismissed (a special type of “no longer at risk” state, where the user is determined 
by the admin to be not risky) 
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Risk Level: This depicts the risk level calculation by AADIP at the time when the risk was 
last updated. This can take the values High, Medium, Low, or None. 


Risk Detail: This offers more information about the transition of Risk States from the 
first Risk Level determined. It can take the following values: 


m User performed secure password change/reset 
= Admin confirmed compromised 
= Admin dismissed all risk for user 
= Admin generated temporary password for user 


Risk last updated: This is a key value to check when trying to understand why a user is 
risky. You might look into a user's associated sign-ins or risk detections to understand 
the contributions of risk to that user. In case you find nothing in either, then this field 
becomes useful, for if the date/timestamp is greater than 90 days from its log-rotation, 
that is the reason for not seeing any risk detections associated with the risky user. 


Risk processing state: This is useful when admin actions (such as Confirm Compro- 
mised/Dismissal) are taken. 


In the User Details pane, as shown in Figure 2-62, additional triage and investigation options 
are offered: 
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User’s risky sign-ins: Takes you to a filtered view of the Risky Sign-ins report. 

User’s risk detections: Takes you to a filtered view of the Risk Detection report. 

Reset password: Allows the admin to reset the user’s password to a temporary string (a 
useful option for help desk staff, especially when a Block risky user policy is configured). 
Confirm user compromised/Dismiss user risk: Options to manually control the risk 
state of a user. 

Block user: Disables access for the user. 


Investigate with Azure ATP: This is a useful option for users that have accrued risk 
from detections that are non-native detections. Today, it takes you to the Microsoft 
Defender for Cloud portal, but as new detections from other products in the Microsoft 
Suite are surfaced/integrated, that link will change to a redirection to the Microsoft 365 
Defender portal, where you can investigate the scenario in depth. 
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FIGURE 2-62 Risky Users Details. 


EXAM TIP 

/ The Block User option works reliably for cloud identities only! For federated or synchronized 
identities, this action will be overridden by Azure AD Connect, which enforces the on-prem- 
ises directory as the source of authority. 


Risky Sign-ins report 
The Risky Sign-ins report, as shown in Figure 2-63, is a table of all the risky sign-ins occurring in 
your tenant. By default, it is filtered for all unremedied sign-ins. 

Pay attention to the following: 


= Configure Trusted IPs: In triaging risky sign-ins, one may often find risk attributed to 
legitimate sign-ins from known IP addresses. In such a case, this option can be used to 
configure all the trusted IPs for the environment. Identity Protection ignores risk calcu- 
lations for sign-ins sourced from trusted IPs. 


= Risk level (real-time): Reports the real-time risk calculated against the sign-in. 

= Risk level (aggregate): Reports the cumulative risk (real-time and offline) incurred 
against the sign-in. 

= Confirm sign-in compromised/Confirm sign-in safe: Like the options for risky users, 
these admin actions also elevate/nullify the risk score associated to the sign-in. 
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Neither “Confirm compromise” nor “Confirm safe” actions “familiarize” features for a sign-in 
or user today. So if you have a block policy and a user is blocked because of Identity Protec- 
tion calling out risk due to unfamiliarity in the conditions around the sign-in, simply confirming 
the sign-in to be safe will not resolve the issue for the user. In all likelihood, if they log in from 
the same location again, they might be called out for risky behavior again. Microsoft always 
recommends setting grant controls such as “Require MFA” or “secure password change” for 
sign-in and user risk policies, respectively. 
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FIGURE 2-63 Risky sign-ins. 


You can select an entry from the report to bring up the Risky Sign-in Details pane, as shown 
in Figure 2-64, which contains more information, including: 


= Sign-in time: Records the timestamp of the sign-in. 

= Time detected: Records the timestamp when Identity Protection first deemed the 
sign-in risky. 

= Detection last updated: Records the timestamp when the last end-user, Al, or admin 
action was taken on the sign-in. 
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When looking at the activity of a user at risk—be it their account risk or session (sign-in) 
risk—it is important to look at the entirety of their activity. Identity Protection does not just 
protect user activity during interactive sign-ins but also monitors and evaluates risk for non- 
interactive sign-ins as well. These sign-in types can be sorted through a filter available in the 
Risky Sign-ins report. Thus, while you might find a user to be risky with no associated sign-ins, 
it is possible that their silent non-interactive sign-ins are contributing to aggregate/account 
risk. Non-interactive user sign-ins are those performed on a user's behalf by a client applica- 
tion or a background service. These sign-ins, unlike interactive user sign-ins, do not require the 
user to provide an authentication factor. Instead, a token or code is used by the device or client 
app to authenticate or access a resource on behalf of the user. 
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FIGURE 2-64 Risky Sign-ins Details. 


EXAM TIP 

The sign-in risk’s time detected and detection last updated times are very useful in trouble- 
shooting what occurred on a sign-in. Microsoft publishes offline detections within 48 hours 
of a sign-in. These times can be used to validate that you indeed see this in your tenant. In 
other instances, these times can help you draw a timeline between sign-in, in-app activity, 
remediation attempts, any Al (offline risk engine)-based activity and admin actions ona 
sign-in and its associated detection(s). 
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Risk Detections report 
The Risk Detections report, as shown in Figure 2-65, is a table of all the risky detections in your 
tenant. Risk detections form the basis of all risk incurred on users and sign-ins in the tenant. 
One or more risk detections may be associated to a particular sign-in or user. By default, it is 
filtered for all active detections. 

When thinking about risk reporting for B2B users, there are a couple of things to note: 


m If an Azure AD B2B guest user develops or possesses risk and attempts to access a 
resource in the non-home tenant, and if the user is covered by a user risk policy and is 
subsequently blocked (per the above!), this phenomenon is not visible in the resource 
tenant risky user reports. 

m Administrators cannot dismiss risk for Azure AD B2B guest users in the resource tenant. 


Identity Protection has recently improved the signal-to-noise ratio (SNR) for low-risk risky 
sign-ins. The detection systems now run both in real-time and offline (post authentication) to 
understand whether sign-ins and users are compromised. The offline machine learning model 
scores sign-ins with different features and algorithms to determine whether a sign-in was com- 
promised. The output of this offline model is the aggregate sign-in risk level, which represents 
the most recent evaluation of whether that sign-in was compromised. 


NEED MORE REVIEW? HOW RISK DETECTIONS WORKS 


Read more about Azure AD Risk Detections at: https://docs.microsoft.com/en-us/azure/ 


active-directory/identity-protection/concept-identity-protection-risks. 


Detection time + User to © adden t Location 


FIGURE 2-65 Risky detections. 
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Risk remediation considerations 


Remediation involves reversing the contribution of risk to the entity’s risk score. Remediation 
can be performed on a sign-in or a user. When a risky sign-in is remediated, all contribution to 
the sign-in risk score, by the associated risk detections to that sign-in, is reversed. When a risky 
user is remediated, all contribution to the user risk score, by the associated risk detections to 
that user, contributing either directly or indirectly (via aggregate risk), is reversed. 


When a user, workload, or a user's sign-in is deemed to be at risk, it needs to be alleviated to 
ensure that a certain level of security is maintained in your tenant. Risk indicates the possibil- 
ity of compromise. To mitigate that risk, an administrator may either manually remediate user/ 
sign-in risk or choose to utilize end-user remediation options by configuring a risk remediation 
conditional access policy. Risks on workload identities don’t support remediation methods 
today, and the only action allowed upon detecting risk is “Block.” 


The advantage of using end-user remediation via policies is that the remediation signal is 
fed back into Identity Protection to improve the precision of the risk determination in your ten- 
ant. This results in: 


m Helping achieve balance between security and productivity 


m Reduced time-to-response (TTR) toward risk detected, since this responsibility is passed 
on to the end-user 


m Reduces help desk/Identity admin overhead by reducing the volume of risk data to be 
triaged manually 


There are two types of risk remediation methods supported today: 

m Sign-in risk remediation via MFA 

m User risk remediation via a secure password change 

Identity Protection offers two independent methods to remediate risk via policy: 
m Identity Protection Security Policies 


m Risk-based Conditional Access Policies 
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NOTE DIFFERENCES BETWEEN ALWAYS-ON MFA AND RISK-REMEDIATION 

TRIGGERED MFA 

If conditional access allows the triggering of MFA for each interactive logon, and intelligently 
too with Session Management, Reauthentication, and Continuous Access Evaluation (CAE) 
controls, what is the use of MFA triggered through risk detection? 


First, always-on MFA can introduce MFA fatigue. It increases the likelihood of a user inad- 

vertently approving an MFA request. This can offer the attacker an opportunity to obtain 

a token with an MFA claim, who might, if smart enough, register their own MFA credential 
against the compromised identity to gain persistence. 


Second, there are many detections in the detection suite that don’t just protect sign-in at 
authentication but also learn from behavior throughout a user's journey accessing resources 
and utilizing endpoints. Detections can determine abnormal behavior through this informa- 
tion, like suspicious email behavior can trigger risk within Identity Protection. 


Third, Identity Protection offers its various risk detection protections not just for interactive 
sign-in scenarios but for non-interactive sign-ins as well. This means that risk is determined 
each time a new Access Token/Refresh Token pair is issued. Therefore, a user's SSO experi- 
ence is protected by Identity Protection silently. Thus, Identity Protection offers an impor- 
tant layer of protection in an MFA-protected environment where it intelligently monitors 
login and resource access activity to trigger in-line asynchronous authentication verification 
from the end-user to protect access to resources. 


Identity Protection notifications 


AADIP sends two types of automated notification emails to help you manage user risk and 
risk detections: 


= Users at risk detected email—tTo enable immediate investigation of users at risk 


= Weekly digest email—Offering a summary of new risky users and real-time risky sign- 
ins detected over the last calendar week 
To configure the Users at Risk email in the Azure portal, browse to Azure Active 
Directory > Security > Identity Protection > Users at risk detected alerts. 


To configure the weekly digest email for recipients in your tenant, in the Azure portal, 
browse to Azure Active Directory > Security > Identity Protection > Weekly digest. 
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There are two corner case scenarios related to notifications: 


The corner case scenarios with User at Risk email notifications: To prevent a barrage 

of emails, only one email is sent over risk detected in a 5-second period. Also, if risk is 
detected for an older sign-in (offline risk) and an email has already been sent for a more 
recent sign-in, then email notifications are throttled for the older sign-in. Finally, if end- 
user remediation via policies is deployed, it is quite possible that a user remediates their 
risk state before you address the email notification sent to alert their risk state. 


The corner case scenarios with Weekly Digest email notifications: Users in the Global 
Administrator, Security Administrator, or Security Reader roles are automatically en- 
rolled to receive the weekly digest emails. An attempt is made to send it to the first 20 
members in each role. Only users who hold one of the above roles at the time the email 
is sent can receive the email. Those eligible for the role but who are not elevated into it 
at the time the email is sent won't receive the email. 


EXAMP TIP 


AADIP currently doesn’t support sending emails to group-assigned roles. 


SIEM Integrations 


An essential part to managing identity security at scale is the ability to spool authentication 
and threat events to a SIEM to aid incident response, threat hunting, and troubleshooting. 
AADIP generates the following kinds of logs: 


User Risk Events (User risk detections) 
Risk information in sign-ins 

Risky users 

Audit data 

Risky Service Principals 


Service Principal Risk Events 


Exporting risk data 


Using this method, organizations can choose to store Identity Protection-related risk data for 
longer periods than the default retention period in Azure AD. To do so, on the Azure portal, 

simply browse to Azure Active Directory > Diagnostic settings > Edit setting, as shown in 
Figure 2-66, and select between archiving data to a storage account, streaming it to an event 
hub, or making it available to Log Analytics or a partner solution. 
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FIGURE 2-66 Diagnostic settings. 


Microsoft's own version of cold storage would be to stream data into a storage account. 
However, if you want to make the data available for use within the Microsoft ecosystem, you 
could choose to stream it to Event Hub. Event Hub supports first- and third-party (non-Micro- 
soft) connectors that allow integration of third-party SIEMs to pull the data off Event Hub. You 
could also make the data available in Log Analytics to write threat-hunting queries on a sample 
set of data on-the-fly. Finally, Microsoft supports direct integration with some partner vendor 
solutions such as Apache Kafka, Datadog, ElasticDB, and Logz.io. 


NEED MORE REVIEW? INTEGRATE AZURE AD LOGS WITH AZURE MONITOR LOGS 


Read more about integrating Azure AD logs with Azure Monitor at: 
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/ 
howto-integrate-activity-logs-with-log-analytics 
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Implement security for workload identities 


Just as with risk-based policies for user principals, Microsoft now offers risk detections and 
remediation options for workload identities as well! For licensing considerations for workload 
identities, always refer to the licensing requirements detailed at https://docs.microsoft.com/en-us/ 
azure/active-directory/identity-protection/overview-identity-protection#license-requirements. 
Currently, an active P2 license in the tenant can help secure workload identities with Identity 
Protection. However, when this feature is more generally available, additional licensing may 

be required. 


A workload identity can be any application, service principal, or managed identity that at- 
tempts access to resources without human intervention. Workload identities need to be sepa- 
rated from user identities because their native characteristics differ from user identities. For 
example, a workload identity cannot perform multifactor authentication based on biometric 
proofs. Their credentials require security provisions whose requirements are very different from 
the security provisions of user credential methods. Something you know—a password or the 
storage of a memorized secret—is typically not the responsibility of an identity provider, but this 
is not so for workload identities. They are typically also privileged with permissions that are not 
normally or liberally assigned to user identities requiring greater monitoring and review. 


Configure risk-based Conditional Access policy for workload identities 


Today, Conditional Access for workload identities offers only “Block” as a grant control. There- 

fore, Conditional Access offers mitigation of risk rather than remediation (at the time of writing 
this book), but it is expected that there will be automatic remediation options in the future. To 

create a Workload Identity risk policy in Conditional Access: 


1. Browse to portal.azure.com > sign-in > Azure Active Directory > Security > 
Conditional Access > New policy. 


2. Choose a workload identity to be included in the policy. Here, although Microsoft 
regresses to an older term (viz., service principal), this is only because, as part of public 
preview, only single-tenant service principals are in scope—i.e., third-party SaaS 
applications and multi-tenanted applications that you may have published, as well 
as Managed Identities, are out of scope for now! 


3. Under Cloud apps or actions, choose All cloud apps. 


4. Under Conditions, for Service principal risk (preview), shift the Configure slider to 
Yes and choose Service principal risk. Then choose the levels of risk to be targeted for 
end-user remediation. Here, you can also combine this with a location condition limiting 
access for the scoped service principals. Service principals usually have fixed/finite IPs; 
therefore, the Location condition is a convenient option to narrow down access. 


As mentioned above, only the Block grant condition is supported today. But watch for 
remediation options in the future! See Figure 2-67. 
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Microsoft Azure P Search resources, services, and docs (G+/) 


Home > Contoso | Security > Security | Conditional Access > Conditional Access | Policies Grant bad 


New 


Conditional Access policy 


Control access enforcement to block or 
Example: ‘Device compliance app policy grant access. Learn more 


Assignments (@) Block access 


Users or workload identities © 


All owned service principals 


Cloud apps or actions © Ci] Some controls are not available due to 
‘Workload identities (preview)' selection 
All cloud apps in policy assignment 


Conditions © 


1 condition selected 


Access controls 


Grant © 


O controls selected 


Session © 


Enable policy 


On oft 


FIGURE 2-67 CA workload identity risk policy. 


Monitor, investigate, and remediate workload identity risk 


The options available for security administrators to monitor, investigate, and remediate risk on 
user identities is now also extended to workload identities. Risk data is available via: 


m The Risky Workload Identities blade 

m Graph APIs 

m Azure Monitor 

There are some important differences to these options from those offered for User Identities. 


As mentioned earlier, Workload Identity risk policies in Conditional Access today offer only 
mitigation of risk. However, Microsoft strongly recommends that further action be taken upon 
detecting risk on Workload Identities, including: 


m Inventory credentials on the identities called out at risk. 
= Delete credentials when the identity is suspected to be compromised. 
m Add new credentials, preferably X.509 certificates. 


m When using workload identities with Azure KeyVault (AKV), remediate any AKV secrets 
that the workload identity has access to, by rotating them. 
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Microsoft has published a detailed guide for Security Operations teams to help them 
in their monitoring and incident response effort around securing Applications: 
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations- 
applications. There is also an Azure AD Toolkit, a PowerShell module, that offers easy CLI 
options for performing some of the above recommended operations: https://github.com/ 
microsoft/AzureADToolkit. 
Another major difference to note is that, for user identities, there are two types of risk reported: 
m User Account Risk 
m Sign-in Session Risk 
All risk detections for user identities fall under the above two risk classifications. For Work- 
load Identities today, all risk detections offered contribute to workload identity account risk 
only—i.e., there are no risk detections for workload identities contributing to risk determined 
at the workload identity sign-in or session level (as of this book’s writing, which is not to say this 
will remain so in the future!). For details on the different types of workload identity risk detec- 
tions, refer to https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/ 
concept-workload-identity-risk#workload-identity-risk-detections. Therefore, it follows that 
while there are two risk reports, as shown in Figure 2-68 and Figure 2-69, respectively, offered 
for User Identities, for Workload Identities today, administrators can monitor, investigate, and 
remediate risk via the Risky Workload Identities report. 


Risky Workload Identity Details 
» Identity Protection | Risky workload identities (preview) < 


FIGURE 2-68 Workload Identity Risk report. 
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A Identity Protection | Risk detections + 


wo Every 5 minutes recton ime ` Last 90 daya ihon atin an: Leen weten type Nane Selected (uk uate : 2 saloenad tat inw None Selected 


Detection timing Te Source Te Pek make Me 


FIGURE 2-69 Workload Identity Risk detections report tab. 


Skill 2.5: Implement access management for 
Azure resources 


Using Azure roles to assign and manage access to resources is an important part of the Admin- 
istrator’'s job. It is always recommended to follow the principle of least privilege, which states 
that only the absolute minimum permissions should be granted to users and groups. Azure 
provides both built-in roles and the ability to create custom roles as needed to ensure that 
organizations can create roles that meet their needs. Also, management of secrets, credentials, 
certificates, and keys is a challenge in any cloud-based system. This is where managed identi- 
ties come in and relieve developers of the burden of managing credentials. 


This skill covers how to: 

m Assign Azure roles 

= Configure custom Azure roles 

m Create and configure managed identities 

m Use managed identities to access Azure resources 
= Analyze Azure role permissions 


=m Configure Azure Key Vault RBAC and policies 


Assign Azure roles 


The primary mechanism you use to control access to Azure resources is Azure role-based ac- 
cess control (Azure RBAC). Role assignment can be done at the following levels: 


m Users 
m Groups 
m Service Principal 


m Managed Identity 
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The Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs can all be used 
to assign roles. The Access control (IAM) page in Azure, as shown in Figure 2-70, can be used 
to assign Azure roles. In each subscription, you can have up to 2000 role assignments. Role 
assignments at the subscription level, resource groups, and resource scopes are all subject to 
this restriction. Each management group can have up to 500 role assignments. Read more 
about role-based access assignment at https://learn.microsoft.com/en-us/azure/role-based- 
access-control/overview. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home > sc-300-demo-rg 


Ro sc-300-demo-rg | Access control (IAM) x 
Resource group 
O Search < -+- Add J Download role assignments == Edit columns C `) Refresh 
(9) Overview 
Check access Role assignments Roles Deny assignments 
f@ Activity log —————— 
Po Access control (IAM) Number of role assignments for this subscription © 
@ Tags 25 4000 
he Resource visualizer ‘ 
© Search by name or e. Type : All Role : All 
Events 
Scope ; All scopes Group by : Role 

Settings 
T Deployments 23 items (3 Users, 4 Service Principals, 16 Managed Identities) 
© Security g Name Type Role Scope Condition 
© Policies > Azure Kubernetes Service Contributor Role 
" 
II! Properties > Contributor 
A Locks 


> Kubernetes Extension Contributor 


Cost Management 


> Log Analytics Contributor 


FIGURE 2-70 Azure role assignments. 


Configure custom Azure roles 


Similarly to built-in roles, custom roles can be assigned to users, groups, or other resources 

in Azure. When building a custom role, administrators can adhere to the concept of least 
privilege so that it includes only the permissions necessary for the new role and nothing else. 
Custom roles can be shared between subscriptions and are kept in the directory. The Azure 
AD directory may contain as many as 5000 custom roles. The Azure portal, Azure PowerShell, 
Azure CLI, or REST API can all be used to create custom roles. 
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To create a new custom role using the Azure portal, follow these steps: 
1. Sign in to the Azure portal, https://portal.azure.com, a using Global Administrator account. 


2. Navigate to the Azure Active Directory dashboard by using the Azure Active Directory 
option available in the sidebar of the Azure portal. 


3. Select Roles and administration from the left side pane. 
4. Fill in the Basics as needed and then press Next. 


5. Select the permissions that match your requirements and press Next. Figure 2-71 shows 
the permissions assignment page along with a search bar to find the permission by 
name or description. 


6. Finally, review the details and press Review + create to finish creating the new custom role. 


Microsoft Azure Æ Search resources, services, and docs (G+/) 


Home 


New custom role -- x 


All roles 


22 Got feedback? 


Basics Permissionse Review + create 


Add permissions for this custom role. Currently, permissions for Application registrations and Enterprise applications are supported 
in custom roles. Learn more 


© Search by permission name or description 


Permission TL Description Ty 
microsoft.directory/applicationPolicies/allProperties/re... Read all properties (including privileged properties) on application ... 
microsoft.directory/applicationPolicies/allProperties/up... Update all properties (including privileged properties) on applicatio... 
microsoft.directory/applicationPolicies/basic/update Update standard properties of application policies. 


microsoft.directory/applicationPolicies/create Create application policies. 


microsoft.directory/applicationPolicies/createAsOwner Create application policies, and creator is added as the first owner 


[ Previous | Next 


FIGURE 2-71 Create a custom role. 


Read more about configuring custom roles at https://learn.microsoft.com/en-us/azure/ 
role-based-access-control/custom-roles#steps-to-create-a-custom-role. 
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Create and configure managed identities 


The management of secrets, credentials, certificates, and keys is a common challenge when 
developing a cloud solution. These secure elements are used to ensure that communication 
between services is secure. Developers no longer need to manage these credentials thanks to 
managed identities. 


While developers can safely store secrets in Azure Key Vault, services require access to 
Azure Key Vault. Managed identities provide applications with an automatically managed 
identity in Azure Active Directory to use when connecting to resources. The managed identity 
supports Azure AD authentication. Applications can obtain Azure AD tokens using managed 
identities without having to manage any credentials. 


There are two types of managed identities: 


m System assigned: The system-assigned managed identity is created in Azure AD and 
is linked to the service instance’s lifecycle. When you delete the resource, Azure auto- 
matically deletes the identity. Only that Azure resource can use this identity to request 
tokens from Azure AD by design. Figure 2-72 shows an example of system-assigned 
managed identity role assignment for the Azure virtual machine instance. 


— Microsoft Azure A Search resources, services, and docs (G+/) a & a 
Home > win-11-ent | Id : : x“ 
ome > wine's Add role assignment (Preview) x 
Azure role ass 
Scope ( 
+ Add role assignment | Resource group 7 | 
If this identity has role asg SUPScription 
Visual Studio Ultimate with MSDN v] 
Subscription * 
— Resource group © 
Visual Studio Ultimate w 
sc-200-demo-rg v 
Role 
Role © 
Reader Reader © {v 
Learn more about RBAC 
Coe EN 


FIGURE 2-72 System-assigned managed identity assignment to an Azure resource (VM). 
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m User assigned: This type of managed identity is managed independently of the 
resources that make use of it. It can be assigned to one or more Azure service instances. 
Figure 2-73 shows an example of user-assigned managed identity assignment to an 
Azure virtual machine instance. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Hotness weil tent Add user assigned managed i... x 
_ win-11-ent | Identity 


Virtual machine 
Subscription * 


System assigned User assigned Visual Studio Ultimate with MSDN v 


A User assigned managed identities 
User assigned managed identities enable Azure resources to authenticate to 9 9 


This type of managed identities are created as standalone Azure resources, à Filter by identity name and/or resource group name 
utilize multiple user assigned managed identities, Similarly, a single user assi y 
Virtual Machine). Learn more about Managed identities mg-identity-001-vm X 
> Resource Group: sc-300-demo-rg 
+ Add Remove ©) Refresh | Ay Got feedback? 
Name ti resource group 


No results 
Selected identities: 


No user assigned managed identities selected, Select one or more 
user assigned managed identities you want to assign to this 
resource. 


No user assigned managed ider 


Add user assigned 


FIGURE 2-73 User-assigned managed identity assignment to an Azure resource (VM). 


Please keep in mind that each Azure service that supports managed identities has its own 
timeline. More information about Azure services and support for managed identities can be 
found at https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure- 
resources/managed-identities-status. 


Use managed identities to access Azure resources 


After you've assigned a managed identity to an Azure resource, you can grant the managed 
identity access to other resources. When working with managed identities, keep the following 
points in mind: 

m In Azure, you create a managed identity by selecting either system-assigned managed 
identity or user-assigned managed identity. The complete list of Azure services that 
support managed identities can be found at https://learn.microsoft.com/en-us/azure/ 
active-directory/managed-identities-azure-resources/services-support-managed-identities. 


m Assign the managed identity to the source Azure resource, such as an Azure Virtual 
Machine, when dealing with a user-assigned managed identity. 
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m Ensure that the managed identity is authorized to access the target service. For ex- 
ample, Figure 2-74 shows how an Azure virtual machine's system-assigned managed 
identity can be granted access to the Azure Monitor logs analytics workspace. In this 
case, the source resource is an Azure virtual machine, and the target resource is a logs 
analytics workspace. 


= Microsoft Azure £ Search resources, services, and docs (G+/) 


Home > aad-logs | Access control (IAM) Select managed identities x 
Add role assignment 


AP Got feedback? 
Æ Got feedback? 
Subscription * 


Visual Studio Ultimate with MSON {v 
Role Members Review + assign 


Managed identity 


Select | 


User-assigned managed identity (1) 


Assign access to 


©) User, group, or service principal 
(©) Managed identity System-assigned managed identity 

All system-assigned managed identities (1) 
Members 


Virtual machine (1 
+ Select members m 


Name Object ID 


No members selected 


Selected members: 
Description No members selected. Search for and add one or more members you want to assign to the 
role for this resource. 
Optional 


earn more about RBAC 


Review + assign Previous | Nex Select || Close 


FIGURE 2-74 Managed identities assignment. 


Analyze Azure role permissions 
All users in Azure AD are given a set of default permissions. The type of user, their role assign- 
ments, and their ownership of individual objects all contribute to defining user access. 

The set of default user permissions differs depending on whether the user is a native user of 
the tenant or was brought over as a guest user from another directory as part of a business-to- 
business (B2B) collaboration. 


The following are the default permissions assigned to member and guest users. 


m Member users can register applications, manage their own profile photo and mobile 
phone number, change their password, and invite B2B visitors. 


m Guest users have limited directory access. They can edit their own profile, change their 
password, and view information about other users, groups, and apps. They cannot, 
however, read all directory information. 
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Configure Azure Key Vault RBAC and policies 


Access to Azure Key Vault can be granted using either role-based access control (RBAC) or Key 
Vault access policies. Access policies provide more granular control but can be more challeng- 
ing to manage. 

A Key Vault access policy specifies whether a user, application, or group can access Key 
Vault secrets, keys, and certificates. Access policies can be assigned via the Azure portal (as 
shown in Figure 2-75), the Azure CLI, or Azure PowerShell. Please note that Key Vault can store 
up to 1024 access policy entries, each of which grants a unique set of permissions to a specific 
security principal. Due to this limitation, it is recommended to assign access policies to groups 
of users rather than individual users whenever possible. Using groups makes managing permis- 
sions within an organization much easier. 


Please see the links below for step-by-step instructions on configuring Azure Key Vault 
RBAC and access policies. 

= Azure portal: https://learn.microsoft.com/en-us/azure/key-vault/general/ 
assign-access-policy?tabs=azure-portal 

m Azure CLI: https://learn.microsoft.com/en-us/azure/key-vault/general/ 
assign-access-policy?tabs=azure-cli 

m Azure PowerShell: https://learn.microsoft.com/en-us/azure/key-vault/ 
general/assign-access-policy?tabs=azure-powershell 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home > Contosoinc-KeyVault | Overview > Contosolnc-KeyVault | Access policies 
Create an access policy x 
Contosolne-KeyVault 
Configure from a template 
Select a template v] 

Key permissions Secret permissions Certificate permissions 
Key Management Operations Secret Management Operations Certificate Management Operations 
go Select all g Select all Gi Select all 
B ca Get B cet 
[C] tist I List C] üst 
[C] Update C] set [C] Update 

Create o Delete o Create 

Import g Recover a Import 
[_] Delete [C] Backup [C] Delete 
[_] Recover {_] Restore [_] Recover 
[_] Backup [_} Backup 

Privileged Secret Operations 
LJ Restore |J Restore 
[ ] Select all d 
Manage Contacts 
Cryptographic Operations f 
YEWI Purge [7] Manane Certificate Authorities 


FIGURE 2-75 Create a Key Vault access policy. 
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Azure Key Vault also supports Azure RBAC for managing key, secret, and certificate permis- 
sions. RBAC enables you to manage all permissions across all Key Vaults from a single loca- 
tion. Permissions can be assigned to management groups, subscriptions, resource groups, or 
individual resources using the RBAC model. RBAC must be enabled for the Key Vault, as shown 
in Figure 2-76, and then the Access control (IAM) option can be used to view and assign roles as 
needed, as shown in Figure 2-77. 


Microsoft Azure Æ Search resources, services, and docs (G+/) 


Home > Contosolnc-KeyVault 


z= Contosolnc-KeyVault | Access configuration ~ x 
r Key vault 

|2 Search | « C) Refresh 

} Tags li] Please click the ‘Apply’ button to commit your changes. 

@ Diagnose and solve problems Configure your options on access policy for this key vault 


To access a key vault in data plane, all callers (users or applications) must 
have proper authentication and authorization. Authentication establishes 
Events the identity of the caller. Authorization determines which operations the 
caller can execute. Learn more 


= Access policies 


Objects 
Keys Permission model 
© Secrets Grant data plane access by using a Key Vault access policy or Azure RBAC 
$=! Certificates ©) vault access policy © 
‘ @) Azure role-based access control © 
Settings 
= Access configuration Go to access control(IAM) 
<l> Networking 


FIGURE 2-76 Enable Azure role-based access control in Key Vault. 
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Microsoft Azure P Search resources, services, and docs (G+/) 


Home > Contasolnc-KeyVault | Overview > Contosolnc-KeyVault 


Ro Contosolnc-KeyVault | Access control (IAM) x 
Key vault 
A Search + Add ss Download role assignments Edit columns ©) Refresh 
Overview Add role assignment 
ats Roles Deny assignments 
E Activity log Add co-administrator 
Ro, Access control (IAM) My access 
View my level of access to this resource. 
@ Tags 
2’ Diagnose and solve problems 
Access policies Check access 
Review the level of access a user, group, service principal, or managed identity has to this resource. Learn 
Events more o" 
Objects | Check access | 
Keys 
Secrets Grant access to this resource 
© Certificates Grant access to resources by assigning a role. 
Settings 
Access configuration 
Add role assignment Learn more p? 
Networking 
© Microsoft Defender for Cloud 
yt A 
Il] Properties View access to this resource 


FIGURE 2-77 Access control (IAM) in Key Vault for viewing and assigning roles. 


Keep in mind that configuring Azure RBAC permissions for Key Vault nullifies all existing ac- 
cess policy permissions. This may cause outages if equivalent Azure roles are not assigned. 

For more information on configuring access to Key Vault keys, certificates, and secrets with 
an Azure role-based access control, visit https://learn.microsoft.com/en-us/azure/key-vault/ 
general/rbac-guide. 


Chapter summary 


m Azure AD Multifactor Authentication (MFA) allows organizations to add an additional 
factor to user authentication, which increases account security readily because a hacker 
must compromise additional factors to get access to the account. 

m Azure AD provides a range of passwordless MFA authentication methods to users. 


m Users can use Azure AD passwordless authentication methods such as FIDO2 security 
keys, Windows Hello for Business, and the Microsoft Authenticator app during sign-ins. 
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m Self-service password reset (SSPR) is a feature in Azure AD that allows users to change 
their password without seeking help from support or an IT administrator. 


m Azure AD smart lockout helps safeguard user accounts by locking out potential mali- 
cious actors who use brute-force, password spray, or similar attack techniques to guess 
the password. 


m Azure AD tenant restrictions enable organizations with strict information access and 
compliance requirements to control the access to any SaaS application that uses mod- 
ern authentication protocol and relies on Azure AD tenant for single-sign-on (SSO). 


m Azure AD Conditional Access enables organizations to apply the fine-grain access con- 
trol policies required to secure resource access. 


m Azure AD Conditional Access collects signals from a variety of sources to make decisions 
and enforce organizational policies. 


m Azure AD Terms of Use (ToU) policies make it easy for end users to see important legal 
or compliance disclaimers. 


m Azure AD Identity Protection (AADIP) can evaluate what it recognizes to be usual 
behavior for a user and use that knowledge to form risk calculations. 


m Calculation of the likelihood that an identity has been compromised is known as user risk. 


m Azure AD Identity Protection (AADIP) provides three risk related reports: the Risky Users 
report, Risky Sign-ins report, and Risky Detections report. 


m Azure role-based access control (RBAC) is the primary mechanism to control access to 
Azure resources. 


m Managed identities provide an automatically managed identity in Azure AD for applica- 
tions to use when connecting to other Azure resources. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


You work for Contoso, Inc., a large industrial company, as an Azure AD administrator. 


Staff of Contoso, Inc. utilize passwords as their primary authentication mechanism, with no 
additional factor, and their credentials were recently exposed, raising serious security concerns. 
Staff also have a habit of selecting poor passwords with no verification for password quality. Also, 
Contoso, Inc. currently lacks capabilities to detect leaked credentials or anomalous user behavior. 


The IT department recently upgraded all staff machines to the Windows 11 operating 
system, which was a costly process, and the company wanted to ensure that users received the 
best possible combination of security and usability. 


Thought experiment 
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Finally, Contoso, Inc.'s Compliance department requires that Azure AD logs be retained in 
Azure storage for retention purposes. 


With this information in mind, answer the following questions: 


1. 


2. 


How can Contoso, Inc.'s security posture be improved to ensure that even if user cre- 
dentials are leaked, their security prevents hackers from accessing the user account? 


What measures need to be taken to ensure that staff passwords do not contain words 
considered unsuitable for passwords? 


What feature will allow Contoso, Inc. users to use biometrics for authentication on 
Windows 11? 


Which Azure AD setting allows configuring of Azure AD logs to be sent to Azure 
Storage service? 


Thought experiment answers 


This section contains solutions to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. 
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Azure Multifactor Authentication (Azure MFA). Azure MFA should be used to improve the 
security posture of an organization and to mitigate threats associated with passwords. 
Adding an additional factor to user authentication immediately improves account security 
because a hacker must compromise additional factors to compromise the account. 


Azure AD Password Protection. Azure AD Password Protection maintains a global 
banned passwords list, which is applied automatically to all users in the directory. In ad- 
dition to the default global list of banned passwords, organizations can create their own 
custom list of banned passwords to meet their specific security requirements. 


Windows Hello for Business (WHfB). It allows users to use strong two-factor authentica- 
tion to replace passwords on their Windows 11 devices. Users are given a credential that 
is linked to their device and that uses biometrics for authentication. 


Azure AD Diagnostic settings. It enables the sending of Azure AD logs to the Azure 
Storage service. 
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Implement Access 
Management for Apps 


Azure Active Directory (Azure AD) enables enterprises to support a simple, secure, and easy 
application access model. This chapter covers how enterprise admins can discover applica- 
tions, enable single sign-on (SSO) experiences for applications, enable application manage- 
ment, and provide insights based on integrated reporting. We also focus on the deployment 
of various types of applications, including cloud apps and on-premises web applications, and 
provide an understanding of how the security model works and how applications and ap- 
plication access can be secured. 


Skills covered in this chapter: 
m Skill 3.1: Plan, implement, and monitor the integration of Enterprise apps for SSO 
m Skill 3.2: Implement app registrations 


m Skill 3.3 Manage and monitor application access by using Microsoft Defender for 
Cloud Apps 
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Skill 3.1: Plan, implement, and monitor the integration 
of Enterprise apps for SSO 


Enterprise applications govern the majority of the end user application experience. This skill 
focuses on how the applications are discovered, how different types of applications can be 
integrated with Azure AD, and key access management fundamentals in real-world scenarios. 


This skill covers how to: 
m Discover apps by using Microsoft Defender for Cloud Apps or an ADFS application 
activity report 
m Design and implement app management roles 
m Understand and plan various built-in roles for application management 
= Configure pre-integrated gallery SaaS apps for SSO and implement access management 
m Integrate custom SaaS apps for SSO 
= Implement application user provisioning 
m Integrate on-premises apps by using the Azure AD Application Proxy 
= Monitor and audit access/sign-ons to Azure AD integrated Enterprise applications 


= Implement and configure consent settings 


Discover apps by using Microsoft Defender for Cloud Apps 
or an ADFS application activity report 


Increasingly, more enterprises are adopting the SaaS (Software as a Service) model for the ma- 
jority of commercial off-the-shelf applications and increasingly adopting modern applications 
that leverage SAML/OIDC/OAuth Standards, making it easy to subscribe to services. In the 
modern world, you will hear the mention of new tools such as a CASB (Cloud Access Security 
Broker), which is responsible for enforcing security within cloud service providers and users. 
Microsoft Cloud App Security (MCAS), now called Microsoft Defender for Cloud Apps, is CASB 
software that provides visibility and enforces organizational policies for such applications. 


Microsoft Cloud App Security 


MCAS, now also known as Microsoft Defender for Cloud Apps, offers multiple options to 
discover applications being used by the enterprises, and it can receive signals from various 
channels including outbound internet proxy logs, reverse proxy, and API integration. Cloud 
Discovery is most used to discover applications that are being used in the organization. Some- 
times also referred to as Shadow IT, it can provide comprehensive visibility into non-approved 
applications being used by business units or individuals. The administrator can further choose 
to enforce controls per the enterprise policies. 
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Architecture 


Microsoft Defender for Cloud Apps or Cloud App Security can improve the visibility into cloud 
apps and provide additional security controls. The following describes some of the most used 
features. Figure 3-1 also describes how they are architecturally enforced. 


m Identify cloud applications used in the organization using discovery functionality 


m Implement API-based app connectors that provide deeper management and visibility 
into the applications 


m Extend conditional access controls and apply sessions controls and understand deeper 
application usage patterns 


= Allow/disallow or enable sanctioned or unsanctioned applications 


ie A Cloud App Security 
ee iN API a d 
Cloud Applications _ — ë CJ 
: | q ; App Connectors 
“4 “4 pS . à 
-l 
m Cloud Discovery 
e@ce : R2) 
EU 3 -O 
` Protected k —) w, e) i 
Q= Proy Access + Sessions e” 
ee — a ." 


Cloud traffic 


= 


Cloud traffic logs — 


p a ; Configuration Scripts = 


Users from any location 


FIGURE 3-1 Cloud App Discovery architecture. 


NEED MORE REVIEW? Cloud app Discovery 


For more information about the different editions of Cloud App Security, visit: 
https://docs.microsoft.com/en-us/defender-cloud-apps/editions-cloud-app-security-0365 


Cloud Discovery 


One of the key functions of Cloud App Security is the Cloud Discovery feature. You can configure 
use logs from your firewalls or proxies to generate insights. The process of log collection can also 
be automated for periodic retrieval and continuous report updates. The cloud discovery is an in- 

telligent report with enriched metadata to help admins get insights into usage patterns and risks. 
Figure 3.2 shows the various cloud apps discovered by the cloud discovery engine. 
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FIGURE 3-2 Cloud App Discovery portal. 


Cloud discovery can not only detect the application usage, but it can enrich the data with a 


lot of metadata about the application. In general, you might have a view into: 
m Generic application usage across the organization 


m Automatic categorization into sanctioned and unsanctioned applications 


m= Automatic metadata enrichment such as risk score, compliance information, etc. 


m Usage insights based on traffic, users, IP addresses, etc. 
m Rich filtering capabilities based on usage and enriched metadata include 
m App tag 
m Apps and domains 
m Categories 
m Compliance risk factors (PCI-DSS, HIPAA, and more) 
m Legal risk factors 
= General risk factors 
m Risk scores 
m Security risk factors 


m Usage 
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Sanctioned apps 


While Microsoft Cloud App Security can provide great insights with cloud discovery, this ca- 
pability cannot enable or disable access. It does provide intelligent insights to the admins who 
can recommend using similar reputable SaaS applications rather than something that might 
put the entire organization at risk. Additionally, if you use some specific solutions like Microsoft 
Defender for Endpoint or some other supported proxy solutions, you can generate scripts and 
block access to identified unsanctioned applications. In Figure 3-3, you can see the Unsanc- 
tioned apps tab highlighted and the details of the applications in this category. 


Microsoft Defender for Cloud Apps 
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FIGURE 3-3 Application details discovered by cloud discovery. 


NEED MORE REVIEW? SANCTIONING DISCOVERED APPS 


For more information on sanctioning/un-sanctioning discovered apps, visit: 
https://docs.microsoft.com/en-us/defender-cloud-apps/governance-discovery 


Active Directory Federation Service 


ADFS, or Active Directory Federation Service, servers provide an organization to set up federa- 
tions with business partners and provide single sign-on (SSO) capabilities to trusted parties. 
One of the key tenants of the more modern applications has been the ability to separate 

users’ authentication from applications—protocols such as SAML, OIDC, and OAuth allow you 
to enable this feature. Although these protocols have existed for quite some time, they are 
sometimes also referred to as modern protocols, since you can leverage them to apply modern 
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controls like Multifactor Authentication (MFA), device-based compliance, etc. Many enterprises 
today still have federation servers to allow their users to connect to SaaS apps. In-house line- 
of-business (LOB)/custom applications sometimes call private applications and leverage the 
same infrastructure to federate with Microsoft 365/Azure AD Services. Figure 3-4 shows the 
ADFS Server in federation mode and how different applications can be federated with ADFS. 


Now 
Salesforce 


aeons i xs a 
ADFS LOB Apps 


FIGURE 3-4 ADFS Servers with federated apps inclunding 0365/Azure AD. 


However, increasingly more companies are taking advantage of advanced cloud Native 
Azure AD features like Conditional Access, Azure AD Multifactor Authentication, and device- 
based policy. Enterprises extend the similar controls/policies for their SaaS applications and 
line-of-business (LOB) applications to achieve a more modern security plane with consistent 
controls and policies for both cloud and on-premises applications. One of the first steps they 
take is to integrate applications with Azure AD directly, as shown in Figure 3-5. 


SaaS Apps 


Box 
---- > 


seatpossessp Adobe Now 
A Salesforce 
ADFS i Azure AD 


LOB Apps 
FIGURE 3-5 Applications directly connected to Azure AD. 


er | 
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ADFS usage and insights 


ADFS Usage and insights can help generate reports to assist in the migration of applications 
from ADFS to Azure AD. The ADFS application activity report provides key decision points to 
help with prioritization of the apps for migration, including app usage and potential issues that 
might affect migration. Figure 3-6 shows an example of the ADFS application activity report 
with detected insights highlighting the date range filter and the key fields reported. 


Unique User Co..ta Successful sign-ity Failed sign-ins Ty Migration status ts ] 


FIGURE 3-6 ADFS application activity. 


Prerequisites for the ADFS Usage and insights include the following: the AD Connect health 
service must be enabled, ensure that you have the ADFS Connect health on ADFS Server(s), and 
a few auditing permissions that must be enabled along with certain Local security policy settings 
depending on the ADFS Server version. For the applications to show up on the console, there 
should be success/failure events in the event logs related to the applications. Information regard- 
ing the application and related information is controlled via role-based access control (RBAC). 


The following roles can view the reports: 

m Global administrators 

m Global readers 

m Application administrator 

m Cloud application administrator 

m Security readers 

m Report readers 

The ADFS Application Activity report can help with the following areas: 


m Discover ADFS Application: The report will include applications that users have signed 
in to during the last 30 days. The report skips Microsoft-related relying parties like 
Microsoft Office 365. 


m Planning: The tool shows you the number of unique users and sign-in information, 


which can be used to plan for application migration and for planning risk associated 
with the criticality of applications based on usage. 
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= Identify issues and recommendations: The Azure AD service automatically runs sev- 
eral tests to identify potential migration issues and provide recommendations on how 
those can be fixed. Figure 3-7 shows how potential issues are reported and details on 
possible resolutions in the highlighted sections. 


Migration rule details 


https://fourthcoffeexyz.my.salesforce.com - Migra’ 


A. Relying Party has SignedSamiRequestsRequired set to true 


aim type supported claim 


Configuration tests passed 


o 


eeseeoocoeooooooos 


FIGURE 3-7 ADFS application migration details. 


Once the insights are generated, you might see the below results in the migration status. 
Administrators can further click on details to find a more detailed analysis of the status. 

= Ready to migrate: No modification is required for the application and ADFS. 

= Needs review: You will need to review certain settings; some application configuration 
elements can't be migrated to Azure. 

= Additional steps required: This will require some changes to the application’s settings 
before the application can be migrated. In general, the most effort is required for an 
application reported in this state. 


NEED MORE REVIEW? ADFS APPLICATION ACTIVITY REPORT 


For more information about this, visit: https://docs.microsoft.com/en-us/azure/active- 
directory/manage-apps/migrate-adfs-application-activity 


Design and implement app management roles 


This objective focuses on understanding the various design aspects of the roles available for 
managing applications in Azure AD. In general, before applications are secured using Azure 
AD, planning is required to understand the delegation model, types of applications, and what 
activities these roles allow them to perform. 
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Restricting apps creation 


Before we start planning the application management roles, one of the key things Azure 

AD does is to allow all users to perform application registrations and manage their settings. 
However, in most enterprises these are governed and assigned to appropriate roles. This can 
be achieved in the user settings by setting the Users can register applications under App 
registrations to No (as highlighted in Figure 3-8). 


Microsoft Azure Æ Search resources, services, and docs (G+/) 


Home > FourthCoffee 


& FourthCoffee | User settings x 


Azure Active Directory 


El Save X Discard 


@ Custom security attributes z 
(Preview) 
ta Licenses Enterprise applications 
b Azure AD Connect Manage how end users launch and view their applications 


= Custom domain names 


App registrations 
D Mobility (MDM and MAM) PP reg 


Users can register applications © 


Password reset y 
Yes À 


ll Company branding 


& User settings Administration portal 


mi n e 
II} Properties Restrict access to Azure AD administration portal © 


@ security (vs GD) 


FIGURE 3-8 App registration control on Azure AD. 


On the Enterprise applications blade, under Consent and Permissions, in the User con- 
sent for applications option, choose Do not allow user consent (highlighted in Figure 3-9). 


Microsoft Azure 


Home > FourthCoffee > Enterprise applications 


$3 Consent and permissions | User consent settings ~ 7 


h E save X Discard Â? Got feedback? 
Manage 
Control when end users and group owners are allowed to grant consent to applications, and when they will be 
required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire 
useful applications and be productive, hut can represent a risk in some situations if it's not monitored and controlled 
carefully. 


& User consent settings 


GQ Permission classifications 


User consent for applications 
Configure whether users are allowed ta consent for applications to access your organization's data. | earn mare 


© Do not allow user consent 
An administrator will be required for all apps. 


(_) Allow user consent tor apps trom verhed publishers, tor selected permissions (Recommended) 
All users can consent for permissions classified as “low impact", for apps from verified publishers or apps 
registered in this organization. 


O Allow user consent for apps 
All users can consent for any app to access the organization's data. 


FIGURE 3-9 Consent setting to block users for app consent. 
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You also need to configure the consent settings for group owners as part of the overall 
consent management (as highlighted in Figure 3-10). 


Microsoft Azure JP Search resources, services, and docs (G+/) 


Home > FourthCoffee > Enterprise applications > 


& Consent and permissions | User consent settings 


* E save X Discard | A Got feedback? 


Manage O Allow user consent tor apps 


All users can consent for any a; to access the organization's data. 
43 User consent settings y app 9 
Q Permission classifications 


@ When user consent for applications is disabled, users may still be able to connect their work or school accounts with 
Linkedin. You can manage Linkedin account connects in User Settings, 


Group owner consent for apps accessing data 
Configure whether group owners are allowed to consent for applications to access your organization's data for the 
groups they own. Learn more 
(®) Do not allow group owner consent 
Group owners cannot allow applications to access data for the groups they own 


Allow group owner consent for selected group owners 
Only selected group owners can allow applications to access data for the groups they own. 


Allow group owner consent for all group owners 
All group owmers can allow applications to access data for the groups they own. 


FIGURE 3-10 Additional Consent setting to block users for app consent. 


When the above settings are configured, end users are unable to consent to any applica- 
tion, which might be an issue in the real world as users need access to the applications. Azure 
AD provides administrators with options to allow users to safely request consent for new ap- 
plications where the user consent is reviewed by an approving request. These requests must 
also be delegated to the users/groups/roles in the enterprise. Figure 3-11 highlights the admin 
consent requests control. 
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FIGURE 3-11 Enterprise app setting to request admin for app consent. 
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Even with the Users can request admin consent settings, admins might still be over- 
whelmed with the number of requests. Additionally, you can choose to safely consent to 
applications that are from publishers verified with Microsoft as part of the Application Inte- 
gration certification. This provides a higher attestation that the application is verified and can 
be traced to the app owners with a reduced risk of consent abuse and hence safer to consent 
automatically as highlighted in Figure 3-12. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home FourthCoffee 


Enter ns 


3 Consent and permissions | User consent settings 


EA save X viscard | AP Got feedback? 


Manage 
nt to applications. and when they will be required to request 


mers are allo o grant 
p O data helps them acquire useful applications and be productive, but 


t ing usi 
can represent a nsk in some situations if it’s not 


& user consent settings 


& Permission classifications 


User consent for appli 


r users are allowed to consent for applications to access your organization's data. Learn more 


llow user consent 


jor will be required for all apps. 


hd publishers, for selected permesians (Recommended) 


classified as "low impact”, for apps from verified publishers or apps registered in this organization. 


mart 


er consent for apps 
t for any app to access the organization's data. 


FIGURE 3-12 App registration setting to allow consent for verified publishers. 


Application ownership 


You can assign users to specific built-in roles such as application developers to create applica- 
tion registrations. The users are granted ownership for any applications they create, thereby 
giving them ownership permissions that allow them to manage all settings of that specific 
application. Figure 3-13 shows the owners of the application; the creator of the application is 
added as the default owner. 


Home > Fourth Coffee > Enterprise applications > MarketApp1 
ŝa MarketApp1 | Owners ~ x 
Enterpnse Application 
H overview 
O Deployment Plan Assigning owners is a simpl grant the ability to manage all aspects of an enterprise applications. Owners can also add 
Or remove other owners. Le 
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>? Search Owners 


{I Properties 
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Configuration Owner 
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FIGURE 3-13 Adding application owners for the Enterprise applications. 
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Similar settings exist for the App Principals or App Registrations. You can see the owner 
details and how they can be added highlighted in Figure 3-14. 


P Search resources, services, and Gots (G+/) 


2s MyLobAppPrincipal | Owners # 


Email User name Job Tithe Type 


FIGURE 3-14 Adding owners for the app registration for a LOB app. 


NOTE THE FOLLOWING RESTRICTIONS APPLY TO THE APP PRINCIPAL OWNER 
CONFIGURATION: 


m Groups cannot be assigned as owners of an Enterprise application or 
app registration. 


= A service principal can be the owner of the application registration. 


= Newapp registrations are hidden from users by default. To enable the app, in 
the Azure portal navigate to Azure Active Directory > Enterprise applications and 
select the app. Then on the Properties page, toggle Visible to users? to Yes. 

m The app can have more permissions than app owners. An application owner can 
perform tasks impersonating the applications. 


Understand and plan various built-in roles for application 
management 


Azure AD offers multiple roles to allow delegation and management of applications. Three 
built-in roles are available related to application management, as described in Table 3-1, along 
with their capabilities. 
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TABLE 3-1 Azure AD roles for the application management 


Role 
Application Administrator 


Application Developer 


Cloud Application 
Administrator 


EXAM TIP 


Description 
Can create and manage all aspects of app registrations and Enterprise apps 


Can create application registrations independent of the Users can register 
applications setting 


Can create and manage all aspects of app registrations and Enterprise apps 
except App Proxy 


It is important to understand each of the built-in application admin roles and have a clear 
distinction of what types of applications every role can manage. 


Custom roles 


While the built-in roles allow delegation in certain scenarios, they might be too broad, or you 
might need to tailor the roles for application developers for specific applications. Custom roles 
allow admins to create a role definition that can be assigned to different users. For example, 
you create a custom role for developers and assign them to specific developers to manage 
their own application as a scope. 


The process of creating custom roles is a two-stage process: 


= Define the custom role 


The role definition is generally a subset of permissions assigned to the built-in-roles; you 
can choose what permissions to grant from the list. 


= Assign the role 


By default, custom roles are assigned at the default organization-wide scope to grant 
access permissions for all app registrations within the organization. For more informa- 
tion, please read https://learn.microsoft.com/en-us/azure/active-directory/roles/custom- 
create#assign-a-custom-role-scoped-to-a-resource. 


NOTE CUSTOM ROLE RESTRICTIONS 


If you have the setting Restrict access to the Azure AD Administration configured to yes, 


custom roles do not grant access to the Azure AD portal. 


To create a custom role, complete the following steps: 


1. Sign in to the Azure AD portal with Global Administrator credentials. 


2. On the Azure Active Directory blade, under Manage, select Roles and administrators. 
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3. On the Roles and administrators blade, select New custom role (as highlighted in 
Figure 3-15). 
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FIGURE 3-15 The Azure AD console for adding new custom roles. 


4. Inthe New custom role blade, on the Basics tab, in the name box, enter the AppMan- 
agers role, provide a role description, and click Next (as highlighted in Figure 3-16). 
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FIGURE 3-16 Basic Information for custom roles creation. 
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5. Go to the Permissions tab and review the available permissions. 


6. Inthe Search by permission name or description box, enter Manage, specify the re- 
quired permissions, and click Next (as highlighted in Figure 3-17). 


7. Click Next. 
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FIGURE 3-17 Custom role wizard to select permissions from built-in permissions. 


8. Inthe results, select the desired permissions and then select Next. 
9. Review the changes and then select Create. 


10. The role you just created should be available for assignment under Roles and admin- 
istrators. In this example, we sort by Type as Custom and specify AppManagers, as 
highlighted in Figure 3-18. 
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FIGURE 3-18 Custom role available in the console. 
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Configure pre-integrated gallery SaaS apps for SSO and 
implement access management 


In this section, we cover what Azure AD gallery applications are, the key configuration attri- 
butes, and how to implement access control for the applications. 


Azure AD application gallery 


Azure AD offers thousands of pre-integrated applications as part of the Azure AD gallery. 

See Figure 3-19. These help reduce the admin's efforts and provide a pre-verified applications 
integration experience. Multiple types of applications are available for integration, and we will 
learn to search, add an application, and learn the key steps involved in gallery app integrations. 
There are four primary types of applications in the Azure AD Gallery, as described in Table 3-2. 
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Search applicat on Single Sign-on : All Ufer Account Management : All Categones : All 


Cloud platforms Single Sign-on 
Q al 
Amazon Web Services (AWS) [M] same d Platform Oracle 


aws 


FIGURE 3-19 Azure AD Gallery. 


TABLE 3-2 Azure AD Gallery application 


Application type | Description 


OpenID Connect | Choose OpenID Connect and OAuth 2.0 if the application you're connecting to supports it. 


SAML Choose SAML whenever possible for existing applications that do not use OpenID 
Connect or OAuth. 
Password Choose password-based when the application has an HTML sign-in page. Password- 


based SSO is also known as password vaulting. Password-based SSO enables you to man- 
age user access and passwords to web applications that don’t support identity federation. 
It's also useful when several users need to share a single account, such as to your organi- 
zation’s social media app accounts. 


Linked Linked sign-on allows you to add a link to an application in My Apps and/or the Office 
365 application launcher for selected users. 

You can add a link to a custom web application that currently uses federation, such as 
Active Directory Federation Services (ADFS). The Linked option doesn’t provide sign-on 
functionality through Azure AD credentials. 
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Azure AD Gallery offers a search experience to quickly identify the application among the 
thousands in the offering. This allows admins to efficiently navigate to the required application. 
It offers multiple filters to choose applications from various business categories, support for 
user account provisioning, and single sign-on methods. 


To search for the applications in the Azure AD console, follow these steps: 

1. Inthe Azure portal, select Enterprise Applications, and then select new Application. 

2. Inthe search window, type the application name—in this example, we type salesforce. 
3. Select the Salesforce application to view the properties, as shown in Figure 3-20. 


The search wizard will also indicate if the application supports Federated SSO or Provi- 
sioning (User/Group/Both). 


4. Click the Create button to add an instance of the application. 
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FIGURE 3-20 Adding an application from the Azure AD Gallery. 


Once the application is created, one of the first things you do is configure the various appli- 
cation attributes or properties; the application properties are listed below. Administrators can 
control user experience for an application by controlling the key application properties. The 
properties described below are common to Enterprise applications as well app registrations, 
as shown in Figure 3-21. 

= Application Name 
Specify the application name so it can be easily discovered by end users. 
m Logo 
Azure AD allows administrators to define custom logos. The logo art specifications are 
215 x 215 in the PNG format. 
= Notes 
This field is useful for the management of the application, in case there might be more than 


one instance of the same application that is configured differently and used by different 
business departments. This field is plain text and can be used for administrator notes. 
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FIGURE 3-21 


Enterprise Application Properties 


= Application Behavior Controls 


Three main settings can be adjusted to meet both user and business requirements: Enabled 
for users to sign in, User assignment required, and Visible to users. 


Table 3-3 contains a quick summary of the various settings that can impact the end user expe- 
rience and application discovery/visibility by the end users. These options exist to accommodate 
different types of applications like Web apps, APIs, etc. In certain cases, you want users to be able 
to launch the app, while in other instances of APIs you want to hide the apps from end users. 


TABLE 3-3 Application behavior controls 


Setting 


Enabled for users to 
sign-in 


Assignment 
Required 


Visible to Users 
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Yes 


Assigned users will be able to sign in to 
this application, either from My Apps, 
from the User access URL, or by navigat- 
ing to the application URL directly. 


Users and other apps or services must 
first be assigned this application before 
being able to access it. 


Assigned users will see the application on 


My Apps and the Office 365 app launcher. 


Implement Access Management for Apps 


No 


No users will be able to sign in to this app, 
even if they are assigned to it. 


All users will be able to sign in, and other 
apps and services will be able to obtain 
an access token to this service. 


No users will see this application on their 
My Apps and the Office 365 app launcher. 
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NOTE DIFFERENCEIN AZURE AD APPLICATION PROPERTIES 


Some options might change between applications when you add an application from the 
gallery, depending on whether the SSO is based on SAML or OIDC. One such key difference 
will be a field that exists for SAML applications called User access URL. All apps under App 
Registrations are OIDC-based applications. The SSO configuration varies depending on the 
type of application as well. 


Implement access management 


Access management is a key aspect of any Identity and Access Management (IAM) solution. 
Azure AD provides a powerful yet simple interface to manage applications access for users. 


Applications can be assigned to appropriate users and groups. One of the key planning 
items related to application access is the group for application access. While you can assign us- 
ers to the application, it’s recommended to use a group for each application or application role 
if the application supports multiple roles. In Figure 3-22, as an example, a group of users called 
Salesforce-ChatterUsers is assigned to the App Role Chatter Free User. 


To assign users to an app, complete the following steps: 


1. On the Salesforce app in the Enterprise Applications blade, on the Overview page, 
under Manage, you can select Users and groups. 


2. Onthe Users and groups page, on the menu, select +Add user/group. 
3. On the Add Assignment blade, select Users and groups. 


4. Inthe Users and groups pane, select your application group account and then press 
the Select button. 


5. (Optional) You might have an option to select Role if applicable to your app. 
6. Select Assign. 


og OGOR 


+ Add user/group t [a] 3 a = Columns 


Hi Overview 


PERTO 8 ti appas jon will appear for assigned users within My Apps. Set ‘visible to users?’ to no in properties to on 
Manage 
II} Properties 
á iaa Display Name Object Type Role assigned 
å Owners 
, LJ SaleTorce ChatterUsers Group Chatter Free User 


&, Roles and administrators 
& users and groups 


D Single sign-on 


FIGURE 3-22 Assigning users and groups to an application. 
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In this section, we learned about what the Azure AD Application Gallery is, how we can search 
for an application, create an application from the gallery, view and set key properties associated 
with an application, and implement access control. Each SaaS application or gallery app might have 
a different single sign-on (SSO) configuration, which was not covered here. Detailed configuration 
around single sign-on is covered in the next section, “Integrate custom SaaS apps for SSO.” 


NEED MORE REVIEW? INTEGRATE SAAS APPLICATIONS WITH AZURE ACTIVE DIRECTORY 
For more information on Azure AD application integration, visit: 
m https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list 


m https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/ 
add-application-portal-setup-sso 


Integrate custom SaaS apps for SSO 


Azure AD offers thousands of pre-integrated applications in the gallery but also allows for the 
flexibility to add any software-as-a-service (SaaS) application if it's missing from the gallery. In 
this section, we will learn how one can integrate custom SaaS application with Azure AD. 


Custom app integration 


Azure AD can be used as an identity provider for many types of applications. Apart from hav- 
ing native support for Office 365 applications, you can further integrate various other types of 
applications. 

m The Azure AD Gallery offers application templates that can be easily set up. 

m You can request missing applications from Azure AD for integration. 

= Additionally, you can manually configure applications for single sign-on using either 


SAML (Security Assertion Markup Language) or OIDC (OpenID Connect). Figure 3-23 
shows how Azure AD can support different types of application integration. 


SaaS Apps 


Box 
E UPEER Adobe Now 
Salesforce 


o “A 
v 


LOB Apps 
FIGURE 3-23 Azure AD and supported application integration. 
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The Microsoft Identity platform has support for multiple protocols, and generally develop- 
ers have a choice to integrate using one over another. Table 3-4 describes the key differences 


between key protocols and how they are used. 


TABLE 3-4 Comparison between different supported protocols 


SAML 


SAML authentication is commonly used with identity 
providers such as Active Directory Federation Services 
(ADFS) federated to Azure AD and is therefore fre- 
quently used in Enterprise applications and generally 
has a larger footprint 


SAML 


Security Assertion Markup Language (SAML) is used 
for authentication. 


OpenID Connect 


OpenID Connect (OIDC) is used for authentication. 
OpenID Connect is built on top of OAuth 2.0, which 
means the terminology and flow are similar between 
the two. You can even authenticate a user using 
OpenID Connect and get authorization to access a 
protected resource that the user owns using OAuth 
2.0 in one request. 


EXAM TIP 


OPENID CONNECT 

OpenID Connect is commonly used for apps that are 
purely in the cloud, such as mobile apps, websites, 
and web APIs. Generally, all new applications are cre- 
ated using OIDC. 

OAuth 


OAuth is used for authorization. 


OAuth 


OAuth is used for authorization. 


It is important to understand key differences with each protocol and their use. 


Custom SaaS app integration 


While you can use any custom application, we will walk through a popular app called 
ClaimsXray, which is used to troubleshoot SAML SSO issues. The goal of this exercise is to: 


m Understand custom SaaS app integration 


m Customize default claims being sent and view them 


NOTE WHAT IS A SAML CLAIM? 


A claim is information that an identity provider states about a user inside the token they 


issue for that user. In the SAML token, this data is typically contained in the SAML Attribute 
Statement. The user's unique ID is typically represented in the SAML Subject, also called the 
Name Identifier. 


Let's begin the custom SSO integration for the application ClaimsXray using the following steps: 


1. Launch the Azure AD Admin console by navigating to https://aad.portal.azure.com/ 


and then clicking Enterprise Application. 
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2. Click Create your own application. 


3. Specify the name ClaimsXray. 


4. Select Integrate any other application you don’t find in the gallery (non-Gallery) 
(as shown in Figure 3-24). 


Microsoft Azure A Search resources, services, and docs (G+/) 


Browse Azure AD Gallery 


Single Sign-on : All User Account Managem 


Cloud platforms 


Amazon Web Services (AWS) Google Cloud Platform 


FIGURE 3-24 Assigning users and groups to an application. 


5. Click Single-Sign-On and choose SAML (as shown in Figure 3-25). 


= microsont Anne 


FIGURE 3-25 Specify the SSO using SAML. 


6. Configure the single sign-on. Configure the SSO parameters as shown in Figure 3-26. 
Starting in the Basic SAML Configuration, specify: 


A. Identifier: urn:microsoft:adfs:claimsxray 
B. Reply URL: https://adfshelp.microsoft.com/ClaimsXray/TokenResponse 
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TAVPIETHENECRSOEE SAIL SIGNS SIGN-ON WETSTET POSSE TOT ESNY SPPE INST SS HOT USE OPENID CORRECT OF ORIN TEST 


Read the configuration guide of for help integrating ClaimsXray 
& Roles and administrators o 
Basic SAML Configuration 4 
BB Users and groups 2 Pre 2 tein 
D Single sign-on en £ urnemicrosoftadts:claimsxray 
Repty URI 1 Cor https//adfsheip.microsoft.com/ClaimsXray/TokenRespons 
D Provisioning “x 


E Application proxy 


© Self-service 


FIGURE 3-26 Definining Basic SAML Configuration. 


Azure AD will supply some default claims, which are commonly used across applications. 
For the purpose of this exercise, we will add additional claims apart from the default set. 
Click Edit, as seen in Figure 3-27. 


Gy ROE She Saministrators 


ÂA Users and groups Attributes & Claims 


D Single sign-on givenname user.givenneme 
surname user sumame 


D Provisioning 


emailaddress user mà 


E Application proxy name user.userprincipalname 


Unique User Identifier user.userprincipalname 


© Selt-servic 


FIGURE 3-27 Modifying the custom claims. 


In this setup, we will add a new claim called Custom-EmployeelD (but it can be 
anything that your application is expecting), and we will map it to the user property 
user.employeeid value, as seen in Figure 3-28. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home > FourthCoffee > Enterprise applications > ClaimsXray > SAML-based Sign-on > 


Attributes & Claims 


+ Add new claim -+ Adda group claim | == Columns fv Got feedback? 


Required claim 
Claim name Value 


Unique User Identifier (Name ID) user.userprincipalname [nameid-for... 


Additional claims 


Claim name Value 

Custom-EmployeelD user.employeeid 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.mail uae 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname user.givenname W 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name user.userprincipalname 227 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sumame user.surname paid 


FIGURE 3-28 Adding a custom claim. 
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10. 


11. 


Once you have added the custom claims—in this case, Custom-EmployeelD— it 
should be available as part of your Attributes & Claims configuration. Verify that the 
custom claim was added, as shown in Figure 3-29. 


Sn Users and groups 
D Single sign-on o 


2 Prov 


Logout Url (Optional) 


Attributes & Claims 


P Edit 


Security 


FIGURE 3-29 The custom claim is now part of the Attributes & Claims. 


In this step, we will configure app authorization—i.e., who all can access this application. 
The recommended best practice is to assign via group membership, but for the test's 
purpose we can also add a user. Click Users and groups and then select Add User/ 
Group (as highlighted in Figure 3-30). 


= Microsoft Azure AP Search resources, services, and docs (G+/) 


Home > Fourt 


2 ClaimsXray | Users and groups 


Enterpnse Application 


Columns AY Got feedback? 


@ The application will appear for assigned users within My Apps. Set ‘Visible to u: ies to prevent this. > 


rst 200 shown, to search all users & groups, enter a display name 


Display Name Object Type Role assigned 


FIGURE 3-30 Assigning users and groups to an application. 


Now we will verify that the application is available for the user and that the integration 
is working. 
A. Launch My Apps by browsing to https://myapplications.microsoft.com/ 


B. Launch the ClaimsXrayApp by clicking the ClaimsXray app icon (as shown in 
Figure 3-31). 


My Apps 


FIGURE 3-31 Launch an application from My Apps. 
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12. Once the ClaimsXray icon is clicked, it launches a web application. As mentioned 
earlier, this web application is used to view all the SAML claims including the custom 
claim that was added. You can see that the Custom-EmployeeID claim is printed with 
the appropriate claim for the user who launched the application (as highlighted in 


Figure 3-32). 
G @) https://adfshelp.microsoft.com, 
Claim TL Value 


Custom-EmployeelD SECRET123 


yftcom/ws/20 


/06/identity/authenticationme 


emas.microsoit.com/claims/authnmethodsrefer 


mas.microsoft.com/claims/multipleauthn 


http://schemas.microsoft.com/identity/claims/displaynam 
Jeevan Bisht 
e 


http://schemas.microsoft.com/identity/claims/identitypro 


https://sts.windows.net/bf040b23 -572f-4894-a8c1 -ebdécc8c443f7/ 
vider 


FIGURE 3-32 Examining the ClaimsXray output. 


This summarizes the custom application SSO integration with Azure AD; however, some 
SaaS providers would also like to get the SaaS applications listed as part of the Azure AD 
gallery to customers, so they can easily search the application and integration guide. Finally, 
we also can request Azure Active Directory application integration if we plan to provide our 
services across multiple tenants or offer software-as-a-service (SaaS) service. 


NEED MORE REVIEW? HOWTO PUBLISH YOUR APPS IN THE GALLERY 


For more information on requesting to publish your application in the Azure Active Direc- 
tory application gallery, visit: https://docs.microsoft.com/en-us/azure/active-directory/ 
manage-apps/v2-howto-app-gallery-listing 


Implement application user provisioning 


In this section, we will talk about the need for application provisioning and how Azure AD can 
help with automating both provisioning and deprovisioning of the user. 


Application user provisioning 


In the modern world, most applications are moving to the SaaS (software-as-a-service) model. 
We have protocols like OpenID Connect (OIDC) and Security Assertions Markup Language 
(SAML) that can help set up single sign-on (SSO), but users also need to be provisioned into the 
applications. The term provisioning refers to the ability of automatically creating user identity 
and certain app roles for the given applications. 
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Application administrators have historically relied on either manual or Excel/CSV files 
imported into flow-based tools, sometimes referred to as manual provisioning, or have used 
approaches like SAML just-in-time (JIT) provisioning. These methods allow provisioning users, 
but as people leave or change roles it is equally important to deprovision, or remove, access. 
Otherwise, it might present security risks due to excessive data access or unnecessary applica- 
tion license cost overruns. Figure 3-33 shows how Azure AD can help achieve this goal with 
automation and standards-based integrations called SCIM (System for Cross-Domain Iden- 
tity Management). 


Cloud HR 


Salesforce 


Active Directory Azure AD 


FIGURE 3-33 Azure AD support for provisioning. 


Azure AD includes applications integration with support for automatic provisioning and 
deprovisioning of user's identities to adapt to changing business needs and user roles. 


In general, some of the functions of the app provisioning include features mentioned in 
Table 3-5. 


TABLE 3-5 App provisioning capabilities 


Function Description 


User Provisioning Automatically create new accounts in the right systems for new people when they join 
your team or organization. 


User Deprovisioning | Automatically deactivate accounts in the right systems when people leave the team 
or organization. 


Group Provisioning | Ability to provision groups to applications that support them. 


Customization Attributes can be customized to map either to existing attributes or apply transformations. 


Governance Monitor and auditing capabilities for users getting provisioned in the application. 


NEED MORE REVIEW? WHAT IS APP PROVISIONING? 


For more information on app provisioning in Azure Active Directory, visit: 
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning 
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Automated vs Manual provisioning 
Azure AD supports a range of applications supporting both modes: 


m Automated Provisioning refers to the fact that Azure AD has a provisioning connector 
for the application. 

m Manual Provisioning implies that the accounts must be created manually. This can 
be done via dumping identities into text/csv files and running import operations in the 
applications. Sometimes enterprises also run some scheduled tasks to have custom logic 
for the export/import of users. 

Azure Active Directory Gallery applications supporting user provisioning can be clearly 
identified or filtered in the Azure AD Enterprise application by applying a filter on the User 
Account Management field, as highlighted in Figure 3-34. The Gallery application also has a 
small Provisioning icon if it supports automated provisioning. 


Microsoft Azure TIJ: 
{ > 


Home FourthCoffee Enterprise 


applications 


Browse Azure AD Gallery 


En wep 


Search application User Account Management : Automated Provisioning Categories : All 


User Account Management 


) all 


Showing 50 of 259 results 


©) Automated Provisioning 


‘sve Fr 


FIGURE 3-34 Application filter to identify applications that support provisioning. 
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Figure 3-35 shows the Salesforce application enabled for automated provisioning. The con- 
figuration steps on how to configure provisioning will vary from application to application. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home > FourthCottee 


@ Salesforce | Provisioning 


Enterprise Application 


C stop provisioning Ç Restart provisioning £7 Edit provisioning 


IB Overview 


Depl ent Plan 
O Deployment Plar Current cycle status Statistics to date 


Manage 
i Incremental cycle completed. 


I! Properties 100% complete 
& Owners 


A View provisioning details 


Completed: 3/14/2022. 10:15:55 PM 
Duration: 3.875 seconds 


a Roles and administrators Steady state achieved: 3/14/2022, 10:15:55 PM 
& Users and groups Provisioning Interval(fixed): 40 minutes 


D Single sign-on 
D_Single sig View technical information 


D Provisioning 
Activity ID: 


© Selfservice 563b9e4d-5981-4d09-Safe-1017272fdbfc © | 
Job ID: 


SfOutDelta. bf040b23572f4894a8c1eb4ec80443f7.8dd1... D | 


Security 


FIGURE 3-35 The Salesforce application enabled for provisioning. 


Once the provisioning setting is configured, the automation is achieved by simply assigning 
the Specific groups. Figure 3-36 shows MyOrgSFAdmins as they are automatically provisioned 
in the Salesforce application as System Administrators. As the users are removed from the 
group, they would be automatically deprovisioned. 


Microsoft Azure P Search resources, services, and docs (G+/) 


Home > FourthCoffee > Enterprise applications > Salesforce 


& Salesforce | Users and groups 


Enterprise Application 


+ add user/group t f t nt == Columns A Got feedback? 
i oveniew 


@ The application will appear for assigned users within My Apps. Set ‘Visible to users? to no in properties to prevent this. => 
M Deployment Plan 


Manage | © First 200 shown, to search all users & groups, enter a display name 


fii’ propanas Display Name Object Type Role assigned 
a Owners Sal e-ChatterUsers Grow Chatter Free User 
&. Roles and administrators "t 5 System Administrator 
D Single sign-on 


D Provisioning 


FIGURE 3-36 Salesforce automated roles provisioning based on group membership. 


228 CHAPTER3 Implement Access Management for Apps 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


System for Cross-domain Identity Management (SCIM) 


While API-based or proprietary automated provisioning exists, these are generally different 
from application to application and require extensive knowledge of the schemas and APIs be- 
fore a connector can be created. These challenges were addressed using a new standard called 
SCIM, which is the de facto standard for provisioning when used with application support OIDC 
or SAML for industry standards-based integration. 


SCIM standards define REST APIs to create, update, and delete objects with a predeter- 
mined schedule for common attributes like username, email, etc. across two endpoints: /Users 
and /Groups. This means that now developers can simply make standards-based REST calls 
to the defined endpoints to complete operations like creating users and groups. Figure 3-37 
shows how SCIM endpoints can be used to provision required attributes for the application. 


Attributes Required Attribute 
1. First Name 1. UPN 
2. Last Name ROE 2. Email 
3. Given Name 
> Required Attribute 
Salesforce 1. Given Name 
2. Email 


4.UPN 
Azure AD 3. Role 


5. Email 


6. EmployeelD 
7. Manager 
8. Country 


FIGURE 3-37 SCIM endpoints for attributes provisioning. 


In summary, SCIM adds support for standards-based integration for SaaS applications or 
LOB applications without worrying about how objects are represented inside the applications, 
providing a more consistent and faster way to create apps with provisioning support. 


Integrate on-premises apps by using the Azure AD 
Application Proxy 


The Azure AD Application Proxy service is a part of Azure AD. It enables secure remote access 

to applications on-premises or hosted on public clouds to remote users, generally considered a 
replacement to VPN for accessing private/internal applications. It requires a minimum Azure AD 
Premium P1 license. A typical use of App Proxy is to provide access to LOB web applications but 
is not limited to on-premises SharePoint sites, Remote Desktop, or web applications that might 
require head-based authentication—e.g., WebSocket applications like Qlik and Tableau. 
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Azure AD Application Proxy features 


Here are some of the key features that enterprises can utilize the Azure AD Application Proxy 
service for: 


Provides a secure way to access web-applications remotely. 


You can enforce modern security controls like MFA device compliance when accessing 
the web applications remotely via the Application Proxy service without modifying the 
web application or rewriting any code. 


Support for a wide set of applications, such as LOB web applications, IWA (Integrated 
Windows Authentication), applications using head-based authentication, Remote Desk- 
top Gateway Service, or any client apps integrated with ADAL/MSAL. 


Support for custom domain names externally. You can publish the application with famil- 
iar URLs—e.g., app1.contoso.com—making it simpler for end users to access applications. 


Integration with the MyApps portal—all the Application Proxy applications can be pub- 
lished to the MyApps portal for ease of discovery. 


Azure AD Application Proxy roles 


The Azure Application Proxy service supports Azure AD role-based access control (RBAC). 
The Azure AD Application Proxy management role can be delegated to an application admin- 
istrator instead of relying on a global administrator. Two key operations that Azure AD Applica- 
tion Proxy admins generally perform are covered in Table 3-6. 


TABLE 3-6 Azure AD App Proxy Operations and Roles 


Roles 


Description 


Connector Installation You must have local administrator rights on the Windows server machine to 


install the connector in addition to the admin being part of the Application 
Administrator role, which is required to register the connector instance with Azure 
AD during the installation process. 


Application Management | This includes both application publishing and management. Application admin- 


istrators can manage all applications in the directory, including registrations, SSO 
settings, user and group assignments and licensing, Application Proxy settings, 
and consent. It doesn’t grant the ability to manage Conditional Access. 
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Application Proxy flow 


Let's examine the architecture for the Application Proxy service. Figure 3-38 shows the archi- 
tecture and the flow overview. 


Application Proxy Service Application Proxy — -=== On-premises App 
Connector 8 (Webserver) 


0}, 


Azure Active Directory Service 


Azure AD Active Directory 


On-premises Network 


FIGURE 3-38 Azure AD Application Proxy architecture. 


1. 


3. 


The user hits the application end point, and the user is directed to Azure to acquire a 
token and meet all requirements enforced by the administrators. Since App Proxy is 
integrated with Azure AD, advanced features like MFA, risk-based policy, device compli- 
ance, etc. are available as part of the Conditional access controls natively. 


Note: While the Azure AD Application Proxy requires a P1 license, to use advanced con- 
ditional policy elements like Sign in Risk or User Risk, you need at least a P2 license. 
Once the authentication is successful, Azure AD issues a token to the client. 

Then the client passes the token to the Application Proxy service, which retrieves basic 
information like UPN (User Principal Name) and SPN (Service Principal Name) from the 
token and sends the requests to one of the connectors in the connector group for the 
assigned application. 

If the application is configured to KCD (Kerberos Constraint Delegation), it will reach out 
to local domain controllers for a Kerberos ticket on behalf of the user (optional). 


Note: Connectors do not have to be AD domain joined if your applications do not 
require KCD. 


The connector sends the request to the on-premises application. 


The response from the application is sent through the Application Proxy connector and 
the App Proxy service back to the user. 

Note: At no point does any port open from the public internet directly to the on- 
premises application, which has security benefits over traditional application publishing 
where incoming ports need to be opened, punching holes in the public facing firewall. 


Users can successfully access the web applications. 


Skill 3.1: Plan, implement, and monitor the integration of Enterprise apps forSSO CHAPTER 3 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


231 


232 


Adding the Application Proxy application 
In this exercise, we will cover the essential settings to publish an on-premises application using 
the Azure AD App Proxy. Follow these steps: 
1. Launch the Azure AD Admin console by navigating to https://aad.portal.azure.com/ and 
then click Enterprise Application. 
2. Select Create your own application, select Configure Application Proxy for secure 
remote access to an on-premises application, and specify the Name of the app (as 
shown in Figure 3-39). 


Microsoft Azure 


Home > FourthCoffee > Ent 


Browse Azure AD Gallery ~ 


É Got feedback 


he name of your app? 


Cloud platforms 


Amazon Web Services (AWS) 


aws 


FIGURE 3-39 Adding the App Proxy application from the Azure AD console. 


3. You will notice that the Application Proxy shares similar properties to the SaaS applica- 
tion, such as Owners, Roles, Administrators, Users and Groups, etc., which are therefore 
not discussed here. Our focus is the Application Proxy blade and Application Proxy 
specific configurations, such as the internal URL, etc., as shown in Figure 3-40. All the 
details are also shown in Table 3-7. 


Microsoft Azure PD Search resources, services, and docs (G+/} 


myHrApp | Application proxy # 


 Oveniew 


OD Deployment Plan 


50) and secure remote access for web applications hasted on-premises 


Manage 


II! Properties 
Basic Settings 


2 Owners 
& Roles and administrators ee 


2 vs 


and groups 
bxtemal ud myhrapp 

D Single sign-on 
https://myhrepp-fourthcotfee 1 msappproxy.net/ 

D Provsioning 


E Application proxy 


Pre Authentication 


FIGURE 3-40 Application Proxy settings. 
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TABLE 3-7 App Proxy service configuration parameters 


Field Description 
Name The application name presented in Azure and the MyApps portal. 
Internal URL The URL is used to access the application internally on the private network. 


This should be reachable from the App Proxy Connector. 


The URL can be set to the root or can be branched to specific apps— 
for example, if you only wish to publish a certain part of the website, such as 
http://hr.woodgrove.com/HrPolicy/. 


External URL This address is used to access the application from outside of your private net- 
work. You can either use the default app proxy domain *.msappproxy.net or 
choose your own custom domain. 


Note: A custom domain will require External DNS updates and a public certificate 
for the domain name. 


Pre-Authentication You can choose: 
Azure Active Directory 


Users are redirected to Azure AD for the sign-in process and need to be authen- 
ticated before they can access the application. You can enforce security controls 
like MFA (Multifactor Authentication), Conditional Access, etc. 


Passthrough 


Users are not authenticated by Azure AD Application Proxy services; this is more 
suitable if your backend application can handle authentication requests. 


Connector Group Connector groups are sets of connectors that serve the requests for the 
Application Proxy service. 


You can assign a single connector group to multiple applications. 


You can have multiple connector groups based on application types or 
geographic location if desired. 


You have a minimum of two connectors in a production connector group. 
Do not use the default connector group for production applications. 


4. There are additional sets of Configuration properties on the same page if you drill down 
the page. Figure 3-41 covers the Additional Settings details, while Table 3-8 covers the 
details of the most used options. 


Additional Settings 
Backend Application Timeout ( Default v 
Use HTTP-Only Cookie © 


Use Secure Cookie © 


0 
Use Persistent Cookie © Yes 


Translate URLs In 
Headers © 


Application Body C 


FIGURE 3-41 Additional Azure AD App Proxy Application configuration settings. 
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In the additional configuration parameters, there are two most widely used settings, as 
described in Table 3-8. 


TABLE 3-8 Additional App Proxy configuration 


Field Description 


Translate URLs In | You might use an external name that is different from the application internal names. 
The App Proxy service can automatically replace the HTML links on the pages to reflect 
the correct URL when they are exposed through App Proxy services. 


Certificate The certificate is required whenever you require a custom domain name for an applica- 
tion when published using an App Proxy—for example, hrweb.contoso.com vs hrweb. 
contoso.msappproxy.net. 


NEED MORE REVIEW? AZURE AD APPLICATION PROXY SETUP WALKTHROUGH 


Use the reference links to walk through the overall process of setting up an Azure AD 
Application Proxy application with Kerberos constrained delegation (KCD): 


a https://mslearn.cloudguides.com/guides/Provide%20secure%20remote%20 
access%20to%20on-premises%20applications%20with%20Azure%20AD%20 
Application%20Proxy 


m https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application- 
proxy-add-on-premises-application 


Monitor and audit access/sign-ons to an Azure AD 
integrated Enterprise application 


Azure AD provides a rich set of capabilities to the admins to understand the status of the 
platform. These might include changes happening within the platform—for example, an ap- 
plication administrator added a new application, or a configuration update occurred to the 
conditional access service generally considered as auditing capabilities. There might be other 
transactional logging to monitor which users are logging in from what devices and IP ad- 
dresses, etc., and whether or not the sign-in was successful, this information might be captured 
in other logs like sign-in logs. 


Audit logs 


Audit logs are key in tracking changes to services for both tracking and compliance purposes. 
The data is considered privileged information and can only be accessed by these roles: 


m Security Administrators 
m Security Reader 

m Report Reader 

m Global Reader 


m Global Administrator 
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Both Audit logs and Sign-in logs are available in the Monitoring section of Azure Active 
Directory. If you launch the audit logs from the Monitoring blade, it will display information 
about all components. Figure 3-42 shows the Audit log and its details. 


Audit Log Details 
=| FourthCoffee | Audit logs 


Aativity 


Activity 


FIGURE 3-42 Azure Active Directory Audit logs. 


The default view can be customized to add/remove additional information. In general, 
administrators can specify additional columns to view, have a 24-hour/7/30 days view of the 
audit log data, and the capability to Download/export the data as a CSV file (as shown in 
Figure 3-43). 


row dates an Lecat “Sarde AM Ctog AN AebäysAN — tive by (ocior) mats wth gadair X | GRA 


FIGURE 3-43 Azure Active Directory Audit logs filters and settings. 


You can launch the audit logs from Enterprise applications, and the logs are filtered to the 
Enterprise application events. You can get insights like those shown in Figure 3-44. 


m When was an application added? 

m Who created the service principal? 

m Who provided the consent for the app? 
m Who added the application? 

m Who modified the application? 
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Microsoft Azure P Search resources, services, and docs (G+/) 


Home > FourthCoftee Enterprise ap s 
=| Enterprise applications | Audit logs 
FourthCoffee - Azure Active Directory 


$ Download C) Refresh == Columns AP Got feedback? 


W User settings 


E Collections Date : Last 1 month Show dates as : Leeal Service : All Category : ApplieationManagement 


Security Activity : All TZ Add filters 


%& Conditional access 4 Service Category t4 Activity Ty Status 
© Consent and permissions 3/13/2022, 8:48:14 PM Core Directory ApplicationMenage. Add service principal Success 
Activity /13/ 4 Core Directory ApplicationManage... Add owner to applic.. Success 


Core Di , c M d y Su 
9 sign-in logs Core Directory ApplicationManage. Add application uecess 


Ai Usage & insights M Core Directory ApplicationManage.. Add owner to applic.. Success 


3/13/2022, &32:19 PM Core Directory ApplicationManage. Add service principal Success 


È Provisioning logs 3/13/2022, 8:32:19 PM Core Directory ApplicationManage... Add owner to applic... Success 
o og 


$= Access reviews 3/13/2022, &32:19 PM Core Directory ApplicationManage. Add application Success 


FIGURE 3-44 Azure Active Directory Audit Logs from Enterprise applications. 


Usage insights 

Azure AD can present a summarized view of application usage indicators like successful 
authentication, failed authentication, and how many users can access the application. These 
insights are a valuable set of information, as they can help the admins understand patterns that 
might otherwise be difficult to parse through logs, as shown in Figure 3-45. 


To Access the insights reports: 
1. Launch the Azure AD console and choose Enterprise applications. 
2. From the Activity section, select Usage & insights to open the report. 


3. Click the Azure AD Application activity report. 


Microsoft Azure P Search resources services, and docs (G+/) 


Q Usage & insights | Azure AD application activity (Preview) 


Download C) Refresh AJ Got feedback 
Usage & insights 
R Azure AD application activity © Sheed AR EREA Sed tn hen S 
(Preview) 8 SERSAN 
D AD FS applica’ activity 


fi Authentication methods activity 


Application name Successful sign-ins Ty Failed sign-ins Ty Success rate ti 


85.71% 


3 2 o 100.00% 


Ban 


FIGURE 3-45 Azure AD application activity report showing app summary statistics. 
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This report can be used to determine multiple things, including but not limited to: 
m What does the application usage look like? 
m Are users in general able to successfully access the application? 
m Trend Analysis for application access, such as what time is the app accessed, etc. 
The View sign-in activity option can provide additional insights into the sign-in activity by 
day and details on what the common sign-in errors are, as shown in Figure 3-46. 


Microsott azure 


Usage & insights - Salesforce 


eedback 


days v 


Sign-in activity 


lio I2 
Sign-in failures 


No reply address is registered for the appåcatonjidPhrase $00113 1 


FIGURE 3-46 App activity showing usage including login success and failures for a given period. 


Additionally, this information presented by Success and Failure in Figure 3-46 can be associ- 
ated with the sign-in events where you can see detailed information for that specific sign-in 
event. Figure 3-47 shows the sign-in details for the specific application. 


tage : Activity Details: Sign-ins 
Salesforce - Sign-in events 


Basic info Location Device inf Authentication Details 


Export Data Settings 2X Troubleshoot C 


7 41da922-66 461948 
442769 
Date : Last 7 days Show dates as : Local Application 
n requirement gie factor authenticat 
User sign-ins (interactive) User sign-ins (non-interactive 


Date + User Ty Appcatio.?4 Status 


FIGURE 3-47 A sign-in event show details about the event. 
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Implement and configure consent settings 


Azure AD allows applications to take advantage of scale and flexibility for application integra- 
tion. This allows users to consent to applications across multiple service providers using their 
work accounts. However, Azure AD does provide organizations the ability to regulate what 
apps their users are consenting to avoid unwanted exposure to malicious applications that a 
normal user might not be aware of without sacrificing their experience on the platform. By 
default, all users can consent to any application that does not require admin consent. 


User consent settings 


In general, consent settings allow an admin to set limits on when end users are allowed to 
grant consent to apps and when they will be required to request administrator review and ap- 
proval, as shown in Figure 3-48. 


Microsoft Azure 


Ø Search resources, services, and docs (G+/) 


Home 


Manage 


tourthCottec 


Enterprise applications 


« 


3 Consent and permissions | User consent settings 


El save X Discard Â? Got feedback? 


Control when end users and group owners are allowed to grant consent to applications, and when they 
will be required to request administrator review and approval. Allowing users to grant apps access to 
data helps them acquire useful applications and be productive, but can represent a risk in some 


situations if it's not monitored and controlled carefully. 


User consent for applications 


Configure whether users are allowed to consent for applications to access your organization's data. Learn 


more 
O Do not allow user consent 
An administrator will be required for all apps. 


O] Allow user consent tor apps trom verted publishers, tor selected permissions (Recommended) 
All users can consent for permissions classified as “low impact”, tor apps from veritied publishers or 
apps registered in this organization. 


A Sele 


(©) Allow user consent for apps 
All users can consent for any app to access the organization's data. 


FIGURE 3-48 The User consent settings page. 
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Table 3-9 describes the impact of the various User consent settings options. 


TABLE 3-9 User consent configuration options 


Consent setting Description 


Disable user consent Users cannot grant permissions to applications. Users can continue to sign 
in to apps they had previously consented to or that are consented to by ad- 
ministrators on their behalf, but they will not be allowed to consent to new 
permissions or to new apps on their own. Only users who have been granted 
a directory role that includes the permission to grant consent will be able to 
consent to new apps. 


Users can consent to apps All users can only consent to apps that were published by a verified publisher 
from verified publishers or and apps that are registered in your tenant. Users can only consent to the 
your organization, but only permissions you have classified as “low impact.” You must classify permissions 
for permissions you choose to choose which permissions users are allowed to consent to. 


Users can consent to all apps | This option allows all users to consent to any permission that does not require 
administrator consent for any application. 


Custom app consent policy This option provides the ability to specify more granular controls, which is 
done using the Azure AD PowerShell. 


Administrators further have the capability to define what low-risks permissions consent 
looks like for their organizations. Consent settings provide them with the capability to clas- 
sify the permissions as per their policies, making it efficient and safe for users to consent with 
limited exposure. For example, in Figure 3-49 the admin is specified. 


Enterprise applications > Consent and perm 


ð Consent and permissions | Permission classifications x 
A? Gat feedback? 
Manage Classify permissions 
8 User consent settings Use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to. Leam more 
Define low-risk permissions here. Only delegated permissions that don't require admin consent are supported 
API used Permissions Description 


No delegated permissions found for classification ‘low 


sign in and read user profile 


access - maintain access to data that users have given 


Yes, add selected permissions No, I'll add permissions 


FIGURE 3-49 User consent settings related to permissions classification. 
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NOTE AZURE AD CAN TRIGGER CONSENT PROMPTS 


Azure AD can trigger consent prompts if it detects risky consent requests. If the admin con- 
sent request workflow isn't enabled, the following message is displayed: 


m AADSTS90094: <clientAppDisplayName> needs permission to access resources in 
your organization that only an admin can grant. Request an admin to grant permis- 
sion to this app before you can use it. 


= Additionally, in the audit logs, there will be an entry with an activity type of Con- 
sent to application and a status reason of Risky application detected within the 
Application Management category. 


Skill 3.2: Implement app registrations 


Azure AD organizations leverage Azure AD as the Identity platform for applications designed 
to represent line-of-business (LOB) applications and the ability to serve as SaaS applications to 
other Azure AD tenants. The application registration model and its security controls are critical 
to understand for a successful integration experience. 


This skill covers how to: 
m Plan your line-of-business application registration strategy 
= Implement application registrations 


= Configure application permissions and implement application authorization 


Plan your line-of-business application registration strategy 


Azure AD offers wide support for application integration. In general, enterprises can take ad- 
vantage of the security and scale of the global service. We'll cover these topics: 


m Fundamentals of App Registration 

= What is an Application Object? 

m What isa Service Principal Object? 

It is important to understand how the application is represented in Azure AD. There are two 
representational states: Application Objects and Service Principal Objects. 


= Application Objects are used to define and describe the application to Azure AD. 
This enables Azure AD to understand how to issue tokens to an application based on 
its configuration. Where the Application Object is created is called its home directory, 
especially in the case of multi-tenanted applications. The application object might con- 
tain information such as the Name, Redirect URIs, Certificate & Secrets, App Roles, SSO 
metadata, etc. Figure 3-50 shows the application object properties. 
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* Name, logo, publisher 
Redirect URLs 
* Certificate & Secrets 


APIs (resources/scopes/dependencies) Application iatutaiedes Service Principal 


* App Roles 


SSO Metadata 


User Provisioning Metadata and config "DD 
Service Principal A 


3rd-Party Multi-Tenant App y Organizational 
Home Directory Directory 


FIGURE 3-50 Azure AD Application Object key properties. 


m Service Principals govern applications connected to Azure AD. While the Application 
Object can only exist in the home directory, the instances for the application can 
exist in tenants where it's being used called Service Principals. It can include the 
actual directory-specific configurations like logos, Name, users/group assignments, 
conditional access policies, Roles assignment, claims transformations, etc. Figure 3-51 
shows the relationship between an Application and Service Principal. 


+ Users/Group Assignment 
+ App Permissions 
+ Local Policies (Conditional Access) 


oy à Te + Settings 
Application ) “Situated Service Principal ; ' 
C Application 9 p + Claims Transformation 


+ Attribute mapping 
+ Directory specific 


A Roles/Logo/Name 


3rd-Party Multi-Tenant App Organizational 
Home Directory Directory 


FIGURE 3-51 Azure AD Service Principal Object key properties. 


The relationship between Application Object and Service Principal Objects 


An application will have an Application Object in its home directory. It will have a Service 
Principal in any other directory that uses the application. If the application is being used in 
the home directory, it will have both a Service Principal and an Application Object in the same 
directory, as represented by CustomApp in the diagram shown in Figure 3-52. Figure 3-52 
depicts the relationship between various types of Application Objects. 


The CustomApp represents: 
m Your custom developed application as integrated with Azure AD 
m Any apps you connected for SSO 
m Internal apps published using the Azure AD Application Proxy 
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It is also important to note that Microsoft has the following two directories: 
m Microsoft Apps (Microsoft service directory like Office 365) 
m Pre-integrated third-party applications (Azure AD App Gallery) 


Microsoft 
Services 


K Office 365 ” 
Bort == SpeakerEngage App 


Your Organization 


SpeakerEngage App Jie ` A 


Gallery Azure AD Directories 


Application Object 


T Service Principal Object 


FIGURE 3-52 Azure AD application and Service Principal Object relationship. 
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Service Principals can be created using multiple entry points including the Azure AD con- 
sole, Azure AD PowerShell, and Microsoft Graph API. When consenting for the application, 
users can also force the creation of the Service applications implicitly if the users’ registrations 
are not blocked. Figure 3-53 depicts the implicit Service Principal registration flow when users 
try to access the application for the first time. 


Application 


gz. Service Principal 


FIGURE 3-53 Service Principal creation flow from user consent. 


The flow for implicit service principal creation is documented as follows: 


1. A user attempts to sign in with the app. The authorization endpoint requests a token 
for the application. 


2. The user credentials are acquired and verified for authentication. 


3. The user is prompted to provide user consent for the app to gain access to the applica- 
tion tenant (as in Figure 3-54). 
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EE Microsoft 
gadmin@fourthcoffee1.onmicrosoft.com 


Permissions requested 


eS calendly 
App info 


This application is not published by Microsoft or 
your organization. 


This app would like to: 
w Sign you in and read your profile 
W Read your calendars 
w Read and write to your calendars 


| Consent on behalt of your organization 


Accepting these permissions means thet you allow this app to use 
your data as specified in their terms of service and privacy 
statement. Ihe publisher has not provided links to their terms 
for you to review. You can change these permissions at 
https://myapps.microsoft.c deta 


Does this app look suspicious? Report it here 


FIGURE 3-54 Application consent screen. 


4. Azure AD uses the Application Object in the Application tenant as a blueprint for 
creating a Service Principal in the User tenant, and a Service Principal is created. 


5. Theuser receives the requested token to access the application. 


NOTE BLOCKING END USERS FROM CREATING SERVICE PRINCIPALS 
To prevent users from registering their own applications: 
= Inthe Azure portal, go to the User settings section under Azure Active Directory console. 


m Change Users can register applications to No. 


Implement application registrations 


Application registration is the process of establishing a trust relationship between the identity 
platform and your application. The application could be a client app commonly including web, 
web API, or mobile apps. 


One of the following Azure AD roles is required for app registrations: 
m Application administrator 
= Application developer 


m Cloud application administrator 


244 CHAPTER3 Implement Access Management for Apps 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


EXAM TIP 


It is important to understand each of the built-in application admin roles and have a clear 
distinction of what types of applications every role can manage. 


The next section covers the App registration process and various configuration parameters. 
To register the application: 
1. Log in to the Azure portal. 
2. Under Manage, select App registrations, and then select new registration. 
3. Entera Name for your application. 
Specify the Supported account types or sign-in audience (who can use the application). 


4. Specify Redirect URI (optional). A redirect URI is where Azure AD will redirect a user's 
client and sends security tokens after authentication. In a production app, there is often 
a public endpoint where your app runs. 


5. Select Register to complete the initial app registration, as shown in Figure 3-55. 


Microsoft Azure P Search resources, services, and docs (G#/) Bl & 


Home > FourthCottee > 


Register an application 


* Name 


The user facing display name for this application (this can be changed later). 


myBusinessApp 


Supported account types 


Who can use this application or access this API? 

®© Accounts in this organizational directory only (FourthCoffee only Single tenant) 

O Accounts in any organizational directory (Any Azure AD directory - Multitenant) 

© Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) 


© Personal Microsoft accounts only 


Help me choose. 


Redirect URI (optional) 


We'll return the authentication response to this URI after successfully authenticating the user. Providing this now is optional and it can be 
changed later, but 2 value is required for most authentication scenarios 


web v https://mybusinessapp.fourthcoffec.com 


Public chent/native (mobile & desktop) f r f 
grate gallery apps and other apps from outside your organization by adding from Fnterprise applifations, 


web 


Single-page application (SPA) alform Policies g 


Register 


FIGURE 3-55 App registration configuration page. 
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Azure AD supports multiple types of accounts, as shown in Figure 3-55. Table 3-10 describes 
when to use specific account types. The most common option used for applications inside an 
enterprise is Accounts in this organizational directory only. 


TABLE 3-10 Azure AD App Registration supported account types 


Supported account types Description 
Accounts in this organiza- Select this option if you're building an application for use only by users (or 
tional directory only guests) in your tenant. 


Often called a line-of-business (LOB) application, this app is a single-tenant 
application in the Microsoft Identity platform. 


Accounts in any organiza- Select this option if you want users in any Azure AD tenant to be able to use 
tional directory your application. This option is appropriate if, for example, you're building a 
software-as-a-service (SaaS) application that you intend to provide to mul- 
tiple organizations. 

This type of app is known as a multi-tenant application in the Microsoft 
Identity platform. 


Accounts in any organiza- Select this option to target the widest set of customers. 
tional directory By selecting this option, you're registering a multi-tenant application that can 
also support users who have personal Microsoft accounts. 


Personal Microsoft accounts Select this option if you're building an application only for users who have 
personal Microsoft accounts. Personal Microsoft accounts include Skype, 
Xbox, Live, and Hotmail accounts. 


(Exam Tip 
It is important to understand the details of the supported account types and sign-in audi- 
ence related to each option. 


6. Authentication blade. Azure AD supports applications for various platforms. In this 
blade, we configure the platform for which the application is being targeted, as shown 
in Figure 3-56. 


A. Under Manage, select Authentication. 
B. Under Platform configurations, select Add a platform. 


C. Select the appropriate applications type (not required for this exam). 
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Discard 


P Troubleshooting bd 


FIGURE 3-56 App registration platform configuration page. 


Azure AD supports multiple platforms for application registration, and each application 
type has additional configuration parameters, as described in Table 3-11. 


TABLE 3-11 App Registration Platform configuration settings 


Platform Configuration settings 


Android For apps written in Java, Kotlin, or Xamarin, configuring your Android app en- 
ables your users to get device-wide SSO through the Microsoft Authenticator 
and seamlessly access your application. You need to specify Package Name and 
Signature Hash. 


iOS/macOS For apps written using Objective-C, Swift, or Xamarin, configuring your iOS or ma- 
cOS app enables your users to get SSO and seamlessly access your application. You 
need to specify the Bundle ID. 


Mobile and desktop For apps written for Windows, UWP, Console, loT & limited-entry devices, classic 
applications iOS + Android, select one of the suggested redirect URIs or specify a custom 
redirect URI. 


Single-page application | Configure browser client applications and progressive web applications. JavaScript. 
You need to specify a redirect URI that the URIs will accept as destinations when 
returning authentication responses (tokens) after successfully authenticating or 
signing out users. The redirect URI you send in the request to the login server should 
match the one listed here. Also referred to as reply URLs. 


Web Support for Web server applications like .Net, Java, Python, etc. You need to specify 
a Redirect URI that the URIs we will accept as destinations when returning authenti- 
cation responses (tokens) after successfully authenticating or signing out users. The 
redirect URI you send in the request to the login server should match the one listed 
here. Also referred to as reply URLs. 
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7. Certificates & Secrets blade. App registration supports multiple options for the ap- 
plication authentications—typically client secret and secret in more secure workloads. 
To specify the authentication, configure the setting as follows: 


A. Under Manage, select Certificates & Secrets. 


B. Choose one of the credentials (Figure 3-57 shows the client-secret configuration 
being added). 


Microsoft Azure A Search resources, services, and docs (G+/) 


Home FourthCoffee myBusinessApp 


myBusinessApp | Certificates & secrets # 


A? Got feedback? 


@ Gota second to give us some feedback? 


Certificates & secrets 


Il! Token configuration 
i Certificates (0) Client secrets (1) Federated credentials (0) 
© API permissions PTAR 


@ Expose an AP! string that the application uses to prove its identity when requesting a token. Also can be referred to as 


E App rois 
New dient secret 

&æ Owners 

Description Expires © Secret ID 

Š, Roles and administrators P P" baid i 


i Manifest FrontEndApp1 6/19/2022 imf7Q-zenmyOpplinE.. © e47b6cS2-1285-4f1S-a.. © fa) 


FIGURE 3-57 App Registration configuration for certificates and secrets. 


Credentials enable confidential applications to identify themselves to the authentication 
service when receiving tokens at a web addressable location (using an HTTPS scheme). 
Table 3-12 covers various options and their scheme details. 


TABLE 3-12 App Registration supported authentication methods 


Option Description 


Certificate Certificates can be used as secrets to prove the application's identity when request- 
ing a token. Also, it can be referred to as public keys. Your certificate must be one of 
the following file types: .cer, .pem, .crt 


Client Secret A secret string that the application uses to prove its identity when requesting a to- 
ken. Also, it can be referred to as an application password. 


Federated Credentials | Allow other identities to impersonate this application by establishing a trust with an 
external OpenID Connect (OIDC) identity provider. This federation allows you to get 
tokens to access Azure AD protected resources that this application has access to, 
such as Azure and Microsoft graph. 
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EXAM TIP 
For a higher level of assurance, use a certificate (instead of a client secret) as a credential. 
You will find that Client Secrets are most commonly used during development. 


8. Token configuration blade. Azure AD provides flexibility to the developers to adapt 


to their standards. The configuration allows you to specify things like optional claims, 


token format, etc., to meet business requirements. To modify the default claim, follow 


these steps: 
A. Under Manage, select Certificates & Secrets. 


B. Specify Optional Claims, as seen in Figure 3-58. 


Microsoft Azure P Search resources, services, and docs (G+/) 


pei Sees ee Add optional claim 
1}! myBusinessApp | Token configuration # 


earch (Cte Be Got feedback 


E Overview Optional claims Token type 


# integration assistant 


Manage 


Claim t Description 


(E) Claim ? Description 


£ Troubleshooting - 


FIGURE 3-58 App registration Token configuration page. 


Optional claims are used to configure additional information, which is returned in one or 
more tokens. You can Add optional claim and/or Add groups claim. You also configure vari- 
ous token types depending on the applications, as shown in Figure 3-58. Table 3-13 describes 


the various format details. 


TABLE 3-13 Token types for optional claims 


Token Type | Description 


idToken idToken for the OIDC ID token, the optional claims returned in the JWT ID token. 


accessToken accessToken for the OAuth access token, the optional claims returned in the JWT access token. 


saml2Token Saml2Token for SAML tokens, the optional claims returned in the SAML token. The 
Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens. 
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EXAM TIP 
You can use optional claims to: 
m Add custom claims for your app 
m Add additional claims added to the tokens for your apps. 


m Customize certain token properties—e.g., Group Claim, Security Groups 
naming convention 


Configure application permissions and implement 
application authorization 


Let's start with the fundamentals of the authorization model and a basic understanding of 
scopes, permissions, and consent. 


= Understanding permissions and scopes 


= Configure API permission 


Understanding permissions and scopes 
Using the OAuth 2.0 protocol, Azure AD can support a third-party application access web- 


hosted resource on behalf of a user. Each application that integrates with Azure AD is identi- 
fied using its resource identifier or Application ID URI. Let's look at some Microsoft Service 
Applications as an example: 

= Microsoft 365 Mail API: https://outlook.office.com 

= Microsoft Graph: https://graph.microsoft.com 

m myBusinessApp: https://myBusinessApp.fourthcoffee.com (Custom example) 

OAuth 2.0 is considered the authorization protocol. There are predefined permissions for 
the applications for some Microsoft examples. In OAuth 2.0, these scopes are often referred to 
as permissions. The permissions are strings: 

m Mail.Read - Send mail as any user 

m Calendar.Read — Read calendars in all mailboxes 

m Mail.ReadWrite - Read and write mail in all mailboxes 

m Expense.Report.ReadAll — Read all expense reports (Custom defined for example) 

Developers can utilize these APIs to build a great user experience using the concept of least 
privilege where possible, asking only the permissions required for the app to be functional and 
effective. Some high-privilege permissions can only be granted by the administrator's con- 
sent. In the above list, Mail.ReadWrite might be one such example that could allow the app to 
read and write email on behalf of all users in the company. Figure 3-59 shows a custom scope 
configuration from the app. 
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FIGURE 3-59 API Expose an API configuration page. 


Azure AD supports two types of permissions: 
= Delegated permissions 


These are assigned to the applications that require permission to act as the sign-in user 
when making calls to the target resources. In general, the user or administrator can 
provide consent. 


= Application permissions 


These are assigned to applications that run without a signed-in user and are generally 
background services or processes/daemons. Only users in the administrator roles can 
consent to application permissions. 


Delegated permissions have effective permissions, which means that if an operation had 
a scope or permission similar to User.ReadWrite.All, this application would behave differently. 
Assume that an end user with no elevated permission consented to the application. The user 
would be scoped only to his profile because privileges are limited. On the other hand, if the 
Administrator launched the same application, she would be able to effectively update profiles 
for every user in the entire organization. Application permissions are not affected by this. 


OpenID Connect (OIDC) is an authentication protocol based on the OAuth2 protocol (which 
is used for authorization). OpenID Connect has a few well-defined scopes that are also hosted 
on Microsoft Graph: openid, email, profile, and offline_access, as shown in Figure 3-60. 
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FIGURE 3-60 App registration configuration for Microsoft Graph OIDC scope. 


Scopes are considered critical for application security and behavior. Table 3-14 captures the 
various options and their impact on user access. 


TABLE 3-14 OIDC scope details 


Scope Description 


Email The email scope can be used with the openid scope and any others. It gives the app access to 
the user's primary email address in the form of the email claim. 


Offline access | The offline_access scope gives your app access to resources on behalf of the user for an ex- 
tended time. On the consent page, this scope appears as the Maintain access to data you 
have given it access to permission. When a user approves the offline_access scope, your 
app can receive refresh tokens from the Microsoft Identity platform token endpoint. Refresh 
tokens are long-lived, and your app can get new access tokens as older ones expire. 


profile The profile scope can be used with the openid scope and any others. It gives the app access to 
a substantial amount of information about the user. The information it can access includes, but 
isn't limited to, the user's given name, surname, preferred username, and object ID. 


Openid If using sign-in by using OpenID Connect, it must request the openid scope. The openid 
scope shows on the work account consent page as the Sign you in permission and on the 
personal Microsoft account consent page as the View your profile and connect to apps 
and services using your Microsoft account permission. 
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Tokens 
There are primarily three types of tokens used in OAuth 2.0/OIDC: 


m Access tokens - tokens that a resource server receives from a client, containing permis- 
sions the client has been granted. 


m |D tokens - tokens that a client receives from the authorization server, used to sign in a 
user and get basic information about them. 


m Refresh tokens - used by a client to get new access and ID tokens over time. These are 
opaque strings and are only understandable by the authorization server. 


NEED MORE REVIEW? OAUTH 2.0 AND OIDC 


For more information on OIDC protocols, roles, and scope, visit: https://docs.microsoft.com/ 
en-us/azure/active-directory/develop/active-directory-v2-protocols#protocols 


The OIDC scope would result in the consent request for the users. The app can request the 
permissions it needs by using the scope query parameter. When a user signs in to an app, the 
app sends a request for permission. Each permission is indicated by appending the permission 
value to the resource’s identifier (the Application ID URI). 


After the user enters their credentials, the Azure AD platform endpoint checks for a matching 
record of user consent. If the user has not consented to any of the requested permissions in the 
past, nor has an administrator consented to these permissions on behalf of the entire organization, 
the Azure AD endpoint asks the user to grant the requested permissions, as shown in Figure 3-61. 


B® Microsoft 
gadmin@fourthcoffee1.onmicrosoft.com 


Permissions requested 
S calendly 
App info 
This application is not published by Microsoft or 
your organization. 
This app would like to 
‘Vv Sign you in and read your profile 
\ Read your calendars 


xy Read and write to your calendars 


| Consent on behalt of your organization 


Accepting these perm 
your data as specified ir te 

statement. Ihe publisher has not provided links to their terms 
for you to review. You can change these permissions at 
https://myapps.micros ails 


Dues this app look suspiciou 


FIGURE 3-61 Application consent screen with 
required scopes. 
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However, the consent prompt experience can be configured in two ways: 
m User consent 


When the user approves the permission request, consent is recorded, and the user 
doesn’t have to consent again on subsequent sign-ins to the application. This must be 
done by every single user trying to access the application. 


= Tenant-level consent 


The administrator can grant consent for the application to act on behalf of any user in 
the tenant. If the admin grants consent for the entire tenant, the organization's users 
won't see a consent page for the application. 


Configure API permissions 


As a part of the app configuration, one of the steps is configuring the API permissions. Both 
Enterprise applications and API Registration can be granted consent and must be done differ- 
ently. The Global Administrator role is required to provide admin consent. 


In the following section, we will review how we can grant consent for App Registrations. 
To grant Admin consent for App Registrations: 
1. Browse to Azure Active Directory > App registrations > myBusinessApp app. 


2. Inthe left navigation, under Manage, select API permissions. (Figure 3-62 highlights 
the permissions menu and shows that Admin consent has not yet been granted.) 


3. Under Configured permissions, select Grant admin consent. 


4. Review the additional dialog presented, and then select Yes. 


=. MyBusinessApp | API permissions 


FIGURE 3-62 App registration configuration showing admin consent status and control. 


In the below section, we will review how we can grant consent for the Enterprise applications. 
To grant admin consent in Enterprise applications: 


1. Browse to Azure Active Directory > Enterprise applications > app (myBusinessApp 
in this example). 
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2. Onthe myBusinessApp app blade, in the left navigation, under Security, select 
Permissions. 


3. Under Permissions, select Grant admin consent and review the admin consent granted 
list (both are highlighted in Figure 3-63). 


o. myBusinessApp | Permissions 


Permissions 


FIGURE 3-63 Granting Admin consent for the application. 


NOTE GRANTING ADMIN CONSENT VIA A URL 


Administrators can also provide tenant-wide admin consent by browsing to a specially crafted 
URL, https://login.microsoftonline.comf{tenant-id}/adminconsent?client_id={clientld}, where: 


m {client-id} is the application’s client ID. 


m= {tenant-id} is your organization's tenant ID or verified domain name. 


Some of the high-privilege permissions can be admin restricted. If your app requires access 
to admin-restricted scopes for organizations, you should request them directly from a com- 
pany administrator, also by using the admin consent endpoint. 


Application consent permissions are granted via the admin consent endpoint. This grant 
isn't given on behalf of any specific user; instead, the client application is granted permissions 
directly. These are generally requested by non-interactive applications or services that run in 
the background. 


EXAM TIP 


If you think a malicious application was somehow permitted and you are compromised, 
you should: 


m Remove all users assigned to the application. 
= Revoke all permissions granted to the application. 


m Revoke refresh tokens for all users. 
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Implement application authorization 
App roles can be configured to emit role claims for each role the service principal or users were 
granted to the user. The applications can use these claims to implement claim-based authori- 
zation. These claims need to be configured per the requirement of the applications, and Azure 
AD provides many ways to achieve this for both Enterprise applications and App Registrations. 
For example, in the following example, the application has two roles: ClaimsViewer and 
User. Chris is assigned to the User role and Jeevan Bisht is assigned to the ClaimsViewer role, 
as highlighted in Figure 3-64. 


Microsoft Azure Æ Search resources, services, and docs (G+/) 


@ ClaimsXray | Users and groups = x 
Enterprise Application 
= + Add user/group F E Remove ¢ ale Crede == Columns 
& Owners z 
(iJ The application will appear for assigned users within My Apps. Set ‘visible to users? to no in 
& Roles and administrators properties to prevent this. => 
ŽA Users and groups 
D First 200 shown, to search all users & groups, enter a display name 
D Single sign-on 
Display Name Object Type Role assigned 
® Provisioning 
a w Jeevan Bishi User Claims Viewer 
E Application proxy 
o oH chnis User 
© self-service 


FIGURE 3-64 App roles assigned to users. 


Once the user successfully authenticates, he would receive a token with claims including 
role claim. The application can implement different experiences for the ClaimsViewers and 
User roles. Figure 3-65 is just an example taken from the ClaimsXray app to print the claims 
from the token and highlight the value for the current user. 


Token Claims Ea 


Claim TL Value 


Custom EmployeciD SECRET123 


http://schemas.microsoft.com/ws/2008/06/identity/au 
thenticationmethod/password 
http://schemas.microsoft.com/claims/multipleauthn 


http://schemas.microsoft.com/claims/authnm 
ethodsreferences 


http://schemas.microsott.cam/identity/claims 
/displayname 


Jeevan Bisht 


hitp://schemas.microsoft.com/identity/claims —https://sts.windows.net/bf040b23-572/-4894-a8c1-eb 
/identityprovider Acc8c443f7/ 


http://schemas.microsott.com/ws/2008/06/1d 
entity/claims/role 


L | 
FIGURE 3-65 The role claim part of the issue token using the ClaimsXray app. 


ClaimsViewers 
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Creating app roles 

Azure AD supports role-based access control to allow developers to apply authorization in 
their applications by using claims-based authorization for both users/groups and applications. 
This can be done by creating roles and assigning them to appropriate users/API. RBAC allows 
developers to easily enforce authorization using Azure AD capabilities. 


In this section we will review how to create app roles. Do as follows: 


Log in to the Azure Active Directory Portal. 


Under Manage, select App registrations, and then select the application you want to 
define app roles in. 


Select App roles, and then select Create app role, as highlighted in Figure 3-66. 


= Microsoft Azure AP ‘Search resources, services, and docs (G+/) J g fd S @ F 


ts myBusinessApp | App roles # 


f integration assistant 


Manage 


E tand 


FIGURE 3-66 App registration configuration page for App roles. 


Specify the details for app in the Create app role windows. Figure 3-67 highlights all the 
required fields. In this example, we are creating an AppRole called ExpenseApprovers 
whose value when passed to the application will be ExpenseApprovers. Also notice the 
Description field; this will used by App admins to understand the role context. App roles 
can be assigned to users, applications, or both. 
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5. Click Apply. 


Create app role x 


Display name* © 
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Allowed member types * © 


o Users/Groups 
© Applications 


oO Both (Users/Groups + Applications 


Description *® © 


Expense Approvers have the ability to approve all expenses 


Do you want to enable this app role? © 


— 


FIGURE 3-67 Custom roles definition. 


In the previous section, we created a custom app role. These roles can be assigned to users/ 
groups or applications, although both require configuration on different blades. 


To assign app roles to applications, do the following: 

1. Log in to the Azure portal. 

2. In Azure Active Directory, select App registrations. 

3. Find and select the application to which you want to assign an app role. 
4. Select API permissions > Add a permission. 


5. Select the My APIs tab (you should have a choice of Microsoft APIs, APIs my orga- 
nization uses, and My APIs) and then select the app for which you defined app roles 
(myBusinessApp in this example, as highlighted in Figure 3-68). 


6. Select Application permissions. 
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7. Select the role(s) you want to assign. (Figure 3-68 highlights the sequence and the API 
role that we created in the previous section.) 


8. Select the Add permissions button to complete the addition of the role(s). 


The new roles should appear in your app registration’s API permissions pane. 


j P Search resources, services, and docs (0+) pHereor 
Request API permissions x 


æ- MasterApp | API permissions # | | 
What type 


Application pereesssiown 
2 integration assistant y 


Manage 


Configured permissior 
Select permissions 


ong are auth 


Permission Admin consent required 


API / Permissions name 
V Permissions (1) 


& bpoeana 


manage perme 


WE vanitoz 
Support + Troubleshooting 


Æ troublesheeting 


— 


FIGURE 3-68 App registration configuration for adding API permissions. 


NOTE ADMIN GRANTED CONSENT 


These are application permissions, not delegated permissions. An admin must grant consent 


to use the app roles assigned to the application. 


To assign users and groups to roles: 
1. Log in to the Azure portal. 


2. In Azure Active Directory, select Enterprise applications in the left navigation menu. 
Find and select the application to which you want to assign users or security groups to 
roles (myBusinessApp in our example). 


3. Under Manage, select Users and groups. 


4. Select Add user/group. 


Skill 3.2: Implement app registrations CHAPTER 3 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


259 


5. Select the Users and groups tab from the Add Assignment pane. A list of users and 
security groups is displayed. Choose a user and click the Select button. 


6. Select a role in the Add assignment pane. All custom roles will be displayed. 


7. Choose a role and click the Select button. (Figure 3-69 highlights the role assigned to 
both users.) 


8. Select the Assign button to finish the assignment of users and groups to the app. 


Ø Search resources, services, and docs (G+) a & @& & © 


2 myBusinessApp | Users and groups 


E overview 
@ The application will not appear for assigned users within My Apps. Set visible to users?’ to yes in properties to 
C Deployment Pian enable this 


Manage First 2 x to search a B 


s © search all users & groups, enter a display name. 
It Properties Display Name Object Type Role assigned 
å Owners l 

g aputva Use ExpenseApprovers 


&, Roles and administrators ~ 
U chr ser SalesApprovers 
Š Users and groups 


D single sign-on 


FIGURE 3-69 Assigning app roles to users and groups. 


Q EXAM TIP 


App roles are preferred in multi-tenant applications, since developers can easily map users 
to required functionality in their own code without having dependency on GroupName 

or GrouplD, which might change with different tenants. Assigning groups to app roles is a 
general practice that SaaS app developers use when the application needs to be provisioned 
in multiple tenants. 


Multi-tenant app considerations 


Multi-tenant apps follow the same pattern for the app registrations; however, there are certain 
best practices that you should be aware of, which are highlighted in the following list: 


m Use the principle of least user access to ensure that your app only requests permissions 
it requires. 


m Test your apps against Conditional Access policies. 


m Provide clear names and descriptions for any permissions you expose as part of your app. 


NEED MORE REVIEW? TENANCY IN AZURE ACTIVE DIRECTORY 


For more information on single/multi-tenant applications, visit: https://docs.microsoft.com/ 
en-us/azure/active-directory/develop/single-and-multi-tenant-apps 


260 CHAPTER3 Implement Access Management for Apps 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Skill 3.3: Manage and monitor application access by 
using Microsoft Defender for Cloud Apps 


The threat landscape is constantly evolving, and modern applications need protection beyond 
authentication. There are threat scenarios such as high-privilege consent and insider risk that 
we can apply protection for using access or session policies to get a wider perspective and 
control of what users might be experiencing or what they can do. This skill focuses on how 
additional controls can be applied to the discovered applications using Microsoft Defender for 
Cloud Apps app connectors for greater visibility, and applying additional controls like sessions 
controls to web and OAuth apps using the Microsoft Defender for Cloud Apps policy engine. 


This skill covers how to: 

m Implement application-enforced restrictions 

= Configure connectors to apps 

m Deploy Conditional Access App Control for Apps using Azure Active Directory 
m Create access and session policies in Microsoft Defender for Cloud Apps 


m Implement and manage policies for OAuth apps 


Implement application-enforced restrictions 


Azure Active Directory offers a very powerful ability to control granular access with Conditional 
Access. However, in certain conditions you would want to allow applications to leverage the 
signals from Azure AD such as a device being complaint or not and offering a differentiated 
experience. This allows flexibility for the organizations to create different yet secure access 
when users are accessing the services from different devices. This control, however, is only 
available today for Office 365 SharePoint Online/OneDrive and Exchange online. Figure 3-70 
shows how to enable app enforced restrictions in the conditional access policy. 
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FIGURE 3-70 Conditional access policy with session control for app enforced restriction. 


Once the conditional access policy is configured, you will also need to configure the appli- 
cations to be able to utilize the app restrictions. The configuration details can be found at the 
below links: 

m SharePoint Online: https://docs.microsoft.com/en-us/sharepoint/control-access-from- 
unmanaged-devices 

m Exchange Online: https://techcommunity.microsoft.com/t5/outlook-blog/conditional- 
access-in-outlook-on-the-web-for-exchange-online/ba-p/267069 

We will quickly review a few high-level options for the SharePoint admin center configura- 
tion. You can achieve the following using the app enabled restrictions, as shown in Figure 3-71: 


m Block access from unmanaged devices (most restrictive) 


m Allow limited, web-only access. This provides full access to complaint devices, but for 
non-compliant/unmanaged devices, this restricts their ability to download, print, or 
sync—ensuring the data is not unintentionally leaked on unmanaged devices. 
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FIGURE 3-71 SharePoint admin center configuration for unmanaged devices. 


Once the policy is configured, if a user tries to access the SharePoint from an unmanaged/ 
non-compliant device, they will see the warning in the SharePoint app, as shown in Figure 3-72, 
which allows the user to access the application but does not allow downloading/printing 
or syncing. 


SharePoint £ Search this site 


© Your organization doesn't allow you to download, print, or sync using this device. To use these actions, use a device that's joined to a domain or marked 
compliant by Intune. For help, contact your IT department. More info. 


= MyDemoSite Private group & 1 member 
+ New ~ {8 Pagedetails E Analytics Published 2 A 
News 
+ Add 


Keep your team updated with news on 
your team site 


From the site home page you'll be able to quickly 
author a news post - a status update, trip report, or... 


Add News 


FIGURE 3-72 SharePoint limited web-only access end user experience. 


Limiting a specific SharePoint site 


SharePoint also supports the ability to block or limit access to a specific SharePoint site or 
OneDrive. However, this ability is only available from PowerShell. This experience might be 
required by enterprises that protect all SharePoint data using conditional access and consider 
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their data sensitive; however, they might allow one or more specific sites to be accessed with 
fewer restrictions. For all sites where you enable conditional access policies, you should disable 
“Anyone” links; otherwise, the setting has no impact. Below is an example of restricting a spe- 
cific SharePoint site using PowerShell with limited access and allowing only read-only access. 


Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive 
account> -ConditionalAccessPolicy AllowLimitedAccess -ReadOnlyForUnmanagedDevices $true 


For more information, visit https://docs.microsoft.com/en-us/sharepoint/control-access- 
from-unmanaged-devices#advanced-configurations. 


Configure connectors to apps 


Microsoft Defender for Cloud Apps supports the use of the API connectors to provide en- 
hanced visibility and control over applications. It uses the APIs provided by the service provid- 
ers. In some cases, these could be SaaS applications like Box, GitHub, etc. but also other cloud 
platforms like AWS, GCP, etc. Microsoft Defender for Cloud Apps works with these providers 
to optimize the API and the framework used and honors contracts such as API throttling and 
other platform-enforced restrictions. This avoids API hammering when requesting certain API 
intensive tasks like file search or file scans, which might be a series of API calls in short spans. 
This means it's normal for certain operations to run continuously, spread across in smaller 
tasks, for hours, ensuring both the stability and performance of target systems. 


Connectors can bring additional information depending on what the service providers sup- 
port. In general, you can find information across the following areas: 


= Account governance—Provides ability for governance activities like suspending/re- 
voking accounts, resetting passwords, etc. 


= Account Information—Insights/visibility into users, privileges, account information, 
state of users (active/disabled), group memberships, etc. 


= App Permissions—View and issue tokens and permissions. 
= App Permission Governance—Ability to remove tokens. 
= Audit Trail—Insights/visibility into users/admin sign-in and other activities. 


= Data Scan—Ability to perform unstructured data scan with both regular and periodic 
scans (every 12 hours) or whenever a change is detected (real-time). 
= Data governance—Abilities such as overwriting files, managing files in quarantine, or 
deleting files. 
Tables 3-15 to 3-17 provide samples of the details of integration of Microsoft Defender for 
Cloud Apps integration to understand the integration capabilities with different service provid- 


ers. For the complete list of supported applications, please visit the Microsoft Defender for 
Cloud Apps documentation. 
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TABLE 3-15 User and activities 


Application | List List List Log On User Administra- 
Accounts Groups Privileges Activity Activity tive Activity 
AWS Yes Yes NA Yes 
Azure Yes Yes Yes Yes 
Box Yes Yes Yes Yes Yes Yes 
Dropbox Yes Yes Yes Yes Yes Yes 
Office 365 Yes Yes Yes Yes Yes Yes 
Salesforce Yes Yes Yes Yes Yes Yes 
(with SF Sheid) 
ServiceNow | Yes Yes Yes Yes Partial Partial 


TABLE 3-16 User/app governance and security configuration visibility 


Application User Governance View App Revoke App Security 
Permisions permissions configuration 
visibility 
AWS NA NA 
Azure Not supported by 
provider 
Box Yes Not supported by Yes Yes 
provider 
Dropbox | 
Office 365 Yes Yes | Yes 
Salesforce Yes Yes | Yes Preview 
ServiceNow | Preview 


TABLE 3-17 Information protection 


Applicaiton Dip - Periodic | Dip - Near Sharing File Gover- Apply Sensitivity 
Backlog Scan | Real Time Control ance Labels From Microsoft 

Scan Purview Ip 

AWS Yes — S3 Bucket | Yes Yes NA 
Discover only 

Azure 

Box Yes Yes Yes Yes Yes 

Dropbox Yes Yes Yes Yes 

Office 365 Yes Yes Yes Yes Yes 

Salesforce Yes Yes Yes 

ServiceNow Yes Yes NA 


CHAP 
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Deploy Conditional Access App Control for apps using 
Azure Active Directory 


While Microsoft Defender for Cloud Apps offers integration with multiple IDPs and both cata- 
log apps and custom apps, we will focus only on Azure AD integration as part of the scope for 
this exam. As part of the Conditional Access App Control, let's review the prerequisites. 


Prerequisites: 


Azure Active Directory Premium P1 or higher 

Microsoft Defender for Cloud Apps 

Apps must use SAML 2.0 or OpenID Connect 

Apps must be configured for Single Sign-on (SSO) with Azure Active Directory 


High-level steps for catalog app integration are as follows and detailed next: 


Step 1: Azure AD integration with Microsoft Defender for Cloud Apps. 
Step 2: Log in with the user assigned to the app for Defender to receive policy. 


Step 3: Verify the app connection in the Microsoft Defender for Cloud Apps console 
and enable access and session controls. 


Step 4: Enable the application available for Conditional Access App Control. 
Step 5: Perform the test deployment. 


Step 1: Azure AD integration with Microsoft Defender for Cloud Apps 


Identify the SAML 2.0 or OpenID Connect apps that are integrated with Azure and follow 
the steps below to configure conditional access to integrate with Microsoft Defender for 


Cloud Apps. 

1. Open the Azure AD console and navigate to Security > Conditional Access. 

2. On the Conditional Access pane, create a new policy by selecting New policy > 
Create new policy. 

3. Onthe New pane, in the Name text box, enter the policy name. 

4. Under Assignments, select Users or workload identities and specify users/groups 
that will be used for onboarding (initial sign-on and verification). 

5. Under Assignments, select Cloud apps or actions and assign the apps and actions 
you want to control with Conditional Access App Control. 

6. Under Access controls, select Session, select Use Conditional Access App Control, 
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and choose the built-in policy Monitor only (Preview). You can also choose Block 
downloads (Preview) or Use custom policy to set an advanced policy in Microsoft De- 
fender for Cloud Apps, and then select Select, as shown in Figure 3-73. 
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ecurity | Conditional Access > Conditional Access | Polic Session x 
Custome Security Policy 


delete 
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yý evaluation 
Use Conditional Access App Control 
([] Disable resilience defaults 
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FIGURE 3-73 Enabling conditional access app control. 
7. Under Enable policy, select On and then select Create/Save. 


Step 2: Log in with the user assigned to the app for Defender to 

receive policy 

After the creation of conditional access policies, you need to sign in to each application under 
the scope of the conditional access for Microsoft Defender for Cloud Apps to sync the policy 
details to its service. Without this step, the application might not appear in the Microsoft De- 
fender for Cloud Apps console. 


Step 3: Verify the app connection in the Microsoft Defender for Cloud 
Apps console and enable access and session controls 
At this point, we will enable/verify that the access and session control are configured for the 
apps in scope. For this step, do as follows: 

1. Go to the Microsoft Defender for Cloud Apps portal, select the settings cog on the 


top-left title bar of the portal, and then select Conditional Access App Control. See 
Figure 3-74. 
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FIGURE 3-74 Navigate to the Conditional Access App Control configuration. 


2. Review the Conditional Access App Control apps table (shown in Figure 3-75), look 
at the Available controls column, and verify that both Access control or Azure AD 
Conditional Access and Session control appear for your apps. 


= Connected apps 


© 
App connectors Conditional Access App Control apps Security configuration apps 
(aa p 
The Conditional Access App Control adds real-time monitoring and control capabilities for your apps. 
& To enable Conditional Access App Control capabilities on your apps. follow the deployment instruction: @ Device identification settings 
3w © New Azure AD apps were discovered by Conditional Access App Control, View new apps 
fe 
a Filters: @ _) Advanced filters 
App: Select apps v App category: Select category v Last connected: | Selects date 
+ Add JL Export D Y Hide filters (3 Table settings 
App ^ Status Available controls (7 Was conne... Last activity 
(=) Calendly - General Connected 202. 
Onine meetings 
pa FindTime - General © Connected 7/31/22.9.. jul 31, 202 
CXL Productivity 
J Microsoft 365 admin center - General No activities Jan 12 
Business management ro 


FIGURE 3-75 Microsoft Defender for Cloud Apps connect apps console. 


Step 4: Enable the application available for Conditional Access App Control 
For this step, do as follows: 


1. Review the list of apps, and on the row in which the app you're deploying appears, 
choose the three dots at the end of the row, and then choose Edit app. 
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2. Select Use the app with session controls and then select Save. See Figure 3-76. 


p=  FindTime - General ae 


0 Microsoft 365 admin center - General No activities 


management 


Edit app 


Remove 


Mici 
Edit this app? 


da Mice] App: FindTime 


User-defined domains © 
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h Micr 


Treat access token and code requests as app logins 


Use the app with session controls © 


ttings in Azure AD 


FIGURE 3-76 Enabling an app for session controls. 


Step 5: Perform the test deployment 


We need a fresh session for testing to make sure the test users log out from the existing session 
and then try to access the applications that are in scope for the policy. So do as follows: 


1. Log in to the Microsoft Defender for Cloud Apps portal, and under Investigate, 


select Activity log, and make sure the login activities are captured for each app. 


2. You can filter by clicking Advanced and then filtering using Source equals Access 


control. See Figure 3-77. 


Activity log 


spm ean 


FIGURE 3-77 Activity log scope to access control. 
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3. Youcan see the device details such as desktop/mobile, etc., while testing. You should 
test the login from all the applications, including browsers or any mobile application. 
Ensure that the activities are correctly captured in the activity log. 


Create access and session policies in Microsoft Defender for 
Cloud Apps 


With access policies, you can enable real-time monitor and access control to cloud apps based 
on factors like app, device, location, and user. Microsoft Defender for Cloud Apps also offers 
certificate-based authentication to identify devices apart from the Hybrid Joined and Azure 
AD joined devices as conditions and checks. This can be useful in multiple scenarios to prove 
the relevance of devices. 

To create a new access policy, follow this procedure: 

1. Browse to Control > Policies. 


2. Click Create policy and select Access policy. See Figure 3-78. 


Microsoft Defender for Cloud Apps 


Policies 


m 3 


FIGURE 3-78 Microsoft Defender for Cloud Apps control policy menu. 


3. Inthe Access policy wizard, assign a name for your policy, such as “Block access from 
non-corporate devices” (as shown in Figure 3-79) and provide a brief Description. 


4. Define the Policy Severity and Category for access control. 
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FIGURE 3-79 Access policy wizard. 


5. Inthe Activities matching all of the following section (shown in Figure 3-79), under 
Activity source, select additional activity filters to apply to the policy. Filters include 
the following options: 


App: Use this filter to target specific apps. 

Client app: Use this filter to target a browser or client app if applicable. 
Device tags: Use this filter to identify unmanaged devices. 

Device type: Use this filter to identify PC/Mobile/Tablet/Other. 
Location: Use this filter to identify Countries/Unknown (Risky) Locations 


IP address: Use this filter to filter per IP addresses or use previously assigned IP ad- 
dress tags or categorized by classified services like VPN/Cloud Providers/Risky, etc. 
You can also define RAW IP addresses. 


Registered ISP: Use this filter to identify a specific ISP based off their IPs. 
User: Use this filter to target specific users/groups. 
User agent string: Use this filter to match exact user agent strings. 


User agent tag: Use this filter to enable the heuristic to identify mobile and desktop 
apps. This filter can be set to equals or does not equal. The values should be tested 
against your mobile and desktop apps for each cloud app. 


6. Under Actions, select one of the following options: 
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Test: Set this action to explicitly allow access according to the policy filters you set. 


Block: Set this action to explicitly block access according to the policy filters you set. 
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7. You can Create an alert for each matching event with the policy’s severity. 
m Set an alert limit. 
m Select whether you want the alert as an email, a text message, or both. 


m Send alerts to Power Automate for automation. 


Session Policies 


Session policies can enable real-time session-level monitoring, providing admins with visibility 
into cloud apps and the ability to adapt to business requirements and policies. Very commonly, 
instead of allowing or blocking access completely, especially in case of vendor or partner ac- 
cess with session control, you can allow access while monitoring the session and/or limiting 
specific session activities using the reverse proxy capabilities of Conditional Access App Con- 
trol. Session control applies to browser-based apps. To block access from mobile and desktop 
apps, create an Access policy. 


To create a new session policy, follow this procedure: 
1. Goto Control > Policies. 


2. Select Create policy and then select Session policy, as shown in Figure 3-78. 


3. Session Policy offers predefined catalog and suggested actions as templates. As shown 
in Figure 3-80, we will create a policy with no template option. 


Microsoft Defender for Cloud Apps 


Create session policy 


Policy template 


4 09 


No template 


@ IH 


FIGURE 3-80 Session policy wizard templates. 


4. Inthe Session policy window, assign a name for your policy, such as “Block printing 
SSN number for EXO/SPO/TEAMS for Associates,” as shown in Figure 3-81. 
5. Inthe Session control type field: 


= Select Monitor only if you only want to monitor activities by users. This selection will 
create a monitor-only policy for the apps you selected where all sign-ins, heuristic 
downloads, and activity types will be downloaded. 
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= Select Block activities to block specific activities, which you can select using the 
Activity type filter. All activities from selected apps will be monitored (and reported 
in the Activity log). The specific activities you select will be blocked if you select the 
Block action. The specific activities you selected will raise alerts if you select the Test 
action and have alerts turned on. 


m Select Control file download (with inspection) if you want to monitor user activi- 
ties. You can take additional actions like blocking or protect downloads for users. 


m Select Control file upload (with inspection) if you want to monitor user activities. 
You can take additional actions such as blocking or protecting downloads for users. 


Create session policy 


$090 


Policy template 


© th 


Policy severity Category 


© v Tg v — dowsnotequal v Hybrid Azure AD joined, intune compliant. Valid clien. 


FIGURE 3-81 Session policy wizard. 


6. Inthe Activities matching all of the following sections, Under Activity source, select 
additional activity filters to apply to the policy. Filters include the following options: 


= App: Use this filter to target specific app(s). 

= Activity type: Use this filter to select specific activities to be controlled, such as: 
m Print 
m Clipboard actions: Copy, Cut, and Paste 
m Send items in apps such as Teams 

m Client app: Use this filter to target a browser or client app if applicable. 

= Device tags: Use this filter to identify unmanaged devices. 


= Device type: Use this filter to identify PC/Mobile/Tablet/Other. 
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Location: Use this filter to identify Countries/Unknown (Risky) Locations 


IP address: Use this filter to filter per IP addresses or use previously assigned IP ad- 
dress tags or categorize by classified services like VPN/Cloud Providers/Risky, etc. 
You can also define RAW IP address. 


Registered ISP: Use this filter to identify a specific ISP based off their IPs. 
User: Use this filter to target specific users/groups. 
User agent string: Use this filter to match exact user agent strings. 


User agent tag: Use this filter to enable the heuristic to identify mobile and desktop 
apps. This filter can be set to equals or does not equal. The values should be tested 
against your mobile and desktop apps for each cloud app. 


Under Actions, select one of the following options: 


Test: Set this action to explicitly allow access according to the policy filters you set. 
Block: Set this action to explicitly block access according to the policy filters you set. 


Require step-up authentication (Preview): Re-evaluate Azure AD Conditional Ac- 
cess policies based on the authentication context. 


Protect: This option is available only if you selected Control file download/upload 
(with inspection) under Session policy. 


= Apply Label: If your organization uses Microsoft Purview Information Protection, 
you can set an Action to apply a sensitivity label set in Microsoft Purview Informa- 
tion Protection to the file. 


= Apply custom Permissions: 
1. None 
2. Viewer -View Only 
3. Reviewer — View, Edit 
4. Co-Author- View, Edit, Copy, Print 
5. Co-Owner- All Permissions 


= Block Download any file that is unsupported by native protection where native 
protection is unsuccessful. 


You can create an alert for each matching event with the policy's severity as follows: 
= Set an alert limit. 
m Select whether you want the alert as an email, a text message, or both. 


m Send alerts to Power Automate for automation. 


NOTE SETTING SESSION/ACCESS POLICY 


You can't remove an app from the Conditional Access App Control page once it’s added. 


If you don't set a session or access policy on the app, the Conditional Access App Control 


won't change any behavior for the app. 
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Implement and manage policies for OAuth apps 


While Microsoft Defender for Cloud Apps offers a default set of investigation (discussed 
briefly later in this chapter) just by the virtue of connecting with Azure AD, you can define 
granular policies around app permissions to get notifications automatically when the criteria 


are met. This could help admins secure control of the application permission being consented. 


Another example could be alerting of high permissions level when a certain threshold of uses 
is exceeded. You can also mark the permissions as approved or banned, which will disable the 
correlating enterprise application in Azure AD. 


Let's review how this policy is created. Lauch the Microsoft Defender for Cloud Apps portal 
by visiting portal.cloudappsecurity.com. Then do as follows: 


1. Goto Control > Policies. 
2. Select Create policy and then select OAuth App policy. 


3. Inthe OAuth App policy window, assign a name for your policy, such as Detect Apps 
requesting High Permissions Level (as shown in Figure 3-82). 


Microsoft Defender for Cloud Apps 


Create OAuth app policy 
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FIGURE 3-82 OAuth app policy creation wizard. 
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4. Inthe Activities matching all of the following sections, Under Activity source, select 
additional activity filters to apply to the policy. Filters include the following options: 


App: Use this filter to target specific app(s). 

App State: Use this filter to state Approved/Banned/Undetermined. 
Community use: Use this filter to use to Common/Rare/Uncommon. 
Permissions Level: Use this filter to use Low/Medium/High Level severity. 
Permissions: Use this filter to use specific permissions (e.g., Directory Read, etc.). 
Publisher: Use this to specify the exact publisher name text. 

User 

i. Count: The count of users impacted. 

ii. From Group: User this to specify target group(s). 

iii. Name: Use this to specify target users(s). 


iv. Privileges: Use this to specify exact roles like Administrator/Non-Administra- 
tors. 


5. You can Create an alert for each matching event with the policy's severity. 


Set an alert limit. 
Select whether you want the alert as an email, a text message, or both. 


Send alerts to Power Automate for automation. 


6. You can specify Governance Actions as below: 


Office 365: Revoke App 


While Microsoft Defender for Cloud Apps allows you to create these powerful policies, there 
are few out-of-box anomaly detection policies that automatically review OAuth apps meta- 
data to identify potential malicious applications. These detection policies are only available 
for OAuth apps that are authorized in Azure AD, and the severity of these anomaly detection 
policies cannot be modified. See the policies and descriptions in Table 3-18. 
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TABLE 3-18 Defender for Cloud Apps policies 


Policy Name Policy Description 


Misleading OAuth app name | Scans OAuth apps connected to your environment and triggers an alert when 
an app with a misleading name is detected. Misleading names could indicate 
an attempt to disguise a malicious app as a known and trusted app. 


Misleading publisher name Scans OAuth apps connected to your environment and triggers an alert when 

for an OAuth app an app with a misleading publisher name is detected. Misleading publisher 
names, such as foreign letters that resemble Latin letters, could indicate an 
attempt to disguise a malicious app as an app coming from a known and 
trusted publisher. 


Malicious OAuth app consent | Scans OAuth apps connected to your environment and triggers an alert when 
a potentially malicious app is authorized. Malicious OAuth apps may be used 
as part of a phishing campaign in an attempt to compromise users. This detec- 
tion leverages Microsoft security research and threat intelligence expertise to 
identify malicious apps. 


Suspicious OAuth app file Covers various things like IP Ranges/User Activities etc. 
download activities 


These out-of-box policies can help mitigate some of the risks that might arise from the 
OAuth apps being used in enterprises. 


To view the OAuth apps detected by Microsoft Defender for Cloud Apps 
= Go to Investigate > OAuth Apps. 


You will see all the OAuth applications, along with details such as permissions level, autho- 
rized by, and ability to action them as Approved or Banned, as shown in Figure 3-83. 
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FIGURE 3-83 Manage OAuth apps console, showing permission levels for discovered OAuth apps. 


It is possible that the admin might require more data for investigation to understand the 
applications permissions and other details like publishers and URLS. The administrators can 
click any of the applications to view more details, as shown in Figure 3-84 where the admin 
might be trying to investigate Microsoft Graph PowerShell details. 


Skill 3.3: Manage and monitor application access by using Microsoft Defender for Cloud Apps 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


277 


278 


Microsoft Defender for Cloud Apps 


# 0 9 


@ It 


Q Microsoft Graph PowerShell 
Microson 


OAuth app info & usage 


Microsoft Graph PowerShell 


Last authorized 
Community use Publier 
App iD App website 
dd: ib-4c2t cf 
Related activities Privacy Statement 
Support Terms of Service 


FIGURE 3-84 Manage OAuth apps console, showing permission details for specific apps. 


Some of the key information that can be reviewed includes: 


Publisher 
Redirect URLs 
Permissions level 
Users 


Community use 


Chapter summary 


The Cloud App discovery tool can help detect shadow IT applications. 
Cloud App discovery can add a lot of metadata, including application usage to help 
admins understand the usage and associated risk of the applications. 


ADFS Application activity reports can help you identify which applications can be mi- 
grated to Azure AD. It helps you prioritize the application based on the usage in the last 
1, 7, and 30 days. 


The ADFS Application activity service automatically runs several tests to identify poten- 
tial migration issues and provides recommendations on how those can be fixed. 


Administrators can configure consent settings to control the application creation be- 
havior in the enterprise. 
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Some consent settings can completely block users from consenting to apps, while some 
can allow users to request admin review for application consents instead of getting 
completely blocked. Consent settings can also be configured to approve consent for 
verified publisher applications. 


There are three built-in application management roles that can be assigned to users. 
Customer roles provide flexibility to scope certain permissions for a specified role. 


Azure AD Gallery supports thousands of applications. The application supports SAML, 
OIDC, Password, SSO, and Linked SSO options. 


Azure AD Administrator can control how end users interact with the application with 
application property settings. 

Application properties are different for SAML and OIDC applications; OIDC applications 
are app registrations. 


Access Management for an application can be configured using users or groups, but in 
production environments, access is generally controlled using groups. 


Azure AD Gallery supports thousands of applications that are preconfigured for ease 
of integration. 


You can also integrate any SAML/OIDC application as a non-gallery application. 
OAuth is an authorization protocol, while OIDC and SAML are authentication protocols. 


OIDC is generally used for apps that are purely in the cloud, such as mobile apps, web- 
sites, and web APIs. 


Azure AD supports automated provisioning for certain applications. 
SCIM is the modern approach to automated users and groups provisioning. 


SCIM makes the provisioning development faster, and the integration is standards 
based, avoiding the need to use custom API/schemas for every application. 


App Proxy supports secure remote access to multiple types of web applications running 
on-premises. 


App Proxy allows support for custom domain names. If you choose to use a custom do- 
main, you will need a certificate matching the external hostname and DNS settings must 
be updated on the external DNS. 


App Proxy does not require any incoming ports to be opened to the application servers 
from the public internet because access is enabled using the App Proxy service. 


App Proxy is part of Azure AD Premium and requires at least a P1 License. 
Audit logs are considered sensitive information and allow access to certain privileged roles. 


Usage and insights reports can help understand Top failures and other information 
about the applications. 


Consent settings can be configured to reduce risk of overexposure to organizational data. 


Consent requests can take advantage of verified publishers. Admins should carefully 
review any consent request before approving. 
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m App Roles can be assigned to both Applications and Users/Groups. 
m App Roles can be created using either the Azure AD console or the Manifest Editor. 


= Microsoft Defender for Cloud Apps can be used as a powerful tool to manage and 
monitor SAML 2.0/OIDC applications. 


= Defender for Cloud Apps can generate user risks/application usage/application 
risk patterns. 


m Defender for Cloud Apps provides an integrated set of catalog apps that offer 
deeper integration and insights. It also offers powerful tools like access/session and 
OAuth policies. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find the answers in the section that follows. 

WoodGrove Bank is a large-scale commercial bank that provides financial services to mil- 
lions of users worldwide. WoodGrove Bank has thousands of full-time employees and part- 
time contractors spread across the globe. WoodGrove bank is in the process of modernizing 
their application strategy. They have a technical debt of legacy on-premises web applications 
and some SaaS applications that users need to access remotely from various field locations. 
They have had a number of breaches recently due to password exposure, and they're looking 
to block unauthorized access to the applications. They currently have an Azure Active Direc- 
tory P1 subscription primarily being used for Office 365 integrations. They formed a planning 
committee that laid out certain key requirements, as follows: 

m All Access must be logged. 
m All Access must be protected using multifactor authentication. 
m Access should be restricted from authorized healthy devices only. 

You have been hired as a consultant to provide recommendations based on this scenario. 
Provide some of your top recommendations to the WoodGrove bank by answering the follow- 
ing questions: 

1. You are the Global Administrator for the company, and you hire James to help the de- 
velopers build and manage cloud applications. What role is best suited for James? 


A. Application Administrator 

B. Application Developer 

C. Cloud Application Administrator 
D. Global Administrator 
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2. You have been tasked to migrate 200 applications from ADFS to Azure Active Directory, 
and your organization uses ADFS Usage insights. What information is available for you 
to help with your planning (choose all that apply)? 


A. Application usage in last 30 days 

B. Potential issues with application migrations 
C. ADFS Certificate expiration 

D. Details on claims transform rules 


E. Number of users signed in using MFA 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
choice is correct. 


Solution 
There are several recommendations that align with the problem statement at hand: 
m Ensure that all SaaS applications are tied to Azure Active Directory. 


m Enforce Conditional Access Policy. For all applications, require Multifactor Authentica- 
tion and/or Enforce Device Policy to require a complaint device to ensure that devices 
are healthy. 


m For on-premises legacy web applications, you can recommend using the Azure AD Ap- 
plication Proxy, which can provide secure remote access without needing to create port 
openings in a firewall. You can also apply conditional policy. 


m Azure AD sign-in logs can be used to track all user activity; for long-term retention, you 
might consider a SIEM system for storing logs. 


m Block app consent for the end users. Although not directly related, this can block rogue 
applications from being registered and being able to steal user credentials. 


Answers 


1. You are the Global Administrator for the company, and you hire James to help the de- 
velopers build and manage applications. What role is best suited for James? 


Consider the following: 

m Application Administrators can create and manage all aspects of app registrations 
and enterprise apps. 

m Application Developers can create application registrations independent of the 
“Users can register applications” setting. 

m Cloud Application Administrators can create and manage all aspects of app registra- 
tions and Enterprise apps except App Proxy. 

m Global Administrators can manage all aspects of Azure AD and Microsoft services 
that use Azure AD identities. 
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Based on the principle of least privilege, the correct response would be C. Cloud Applica- 
tion Administrator. Options A and D also would allow James to perform but do not fol- 
low the least-privilege principle. Option B might limit app types to just app registrations. 


You have been tasked to migrate 200 applications from ADFS to Azure Active Directory, 
and your organization uses ADFS Usage insights. What information is available for you 
to help with your planning? 

You were asked to choose from the following information: 


m Application usage in the last 30 days. This data is available as part of the report and is 
helpful for understanding whether the application is being used and can potentially 
help with ranking the migration priority. 

m Potential issues with application migrations. This data is available as part of the report, 
and an application with no reported issues can be targeted first for the migration. 

m ADFS Certificate expiration. This information is not applicable to the application. 


= Details on claims transform rules. This is part of the potential migration issues report, 
but some of these could be difficult to resolve, hence affecting the migration plan- 
ning and priority. 

m= Number of users signed in using MFA. Not part of the report. 


The correct answer is A, B, and D. 


Implement Access Management for Apps 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Plan and implement an 
Identity Governance strategy 


Azure AD Identity Governance enables the capability to balance an organization's need for 
security and employee productivity with the right processes and visibility. It mitigates access 
risks by protecting, monitoring, and auditing access to critical organization assets while 
ensuring employee productivity. It also ensures that the right people have the right access to 
the right resources. 


Identity Governance gives organizations the ability to perform identity lifecycle, access 
lifecycle, and privileged access for administration across employees, business partners, users 
outside of the organization, applications, and services. It helps address the following: 


Who has access to what resources? 
What are users doing with that access? 
What organization controls are in place for managing access? 


Can auditors verify that the controls are working? 


NEED MORE REVIEW? IDENTITY LIFECYCLE 


Read more about identity lifecycle, access lifecycle, and privileged access lifecycle at: 


https://docs.microsoft.com/en-us/azure/active-directory/governance/identity- 


governance-overview. 


Skills covered in this chapter: 


Skill 4.1: Plan and implement entitlement management 
Skill 4.2: Plan, implement, and manage access reviews 
Skill 4.3: Plan and implement privileged access 

Skill 4.4: Monitor Azure AD 
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Skill 4.1: Plan and implement entitlement management 


Employees need access to resources such as groups, applications, and SharePoint sites to 
perform their job. Managing access over time is challenging for the organization and becomes 
more complicated when new groups or applications are added or when users need additional 
access rights. It also becomes more complicated when organizations collaborate with users 
outside of their organization. 


Azure AD entitlement management helps effectively manage access to groups, applica- 
tions, and SharePoint sites for internal users as well as external users outside your organization. 


An Azure AD P2 license is required to perform entitlement management. 


This skill covers how to: 

m Plan entitlements 

m Create and configure catalogs 

m Create and configure access packages 

m Manage access requests 

= Implement and manage Terms of Use 

m Manage the lifecycle of external users in Azure AD Identity Governance settings 
m Configure and manage connected organizations 


= Review per-user entitlements by using Azure AD entitlement management 


Plan entitlements 


When employees join organizations or switch teams, they need access to various resources. 
Managers need to identify what resources the employee needs access to and for how long. 
Granting access to resources one by one is a complicated task. It is also important to remove 
employee access when they move out of teams or organizations. The challenges will com- 
pound for users who need access from another organization. 


Global administrators and Identity Governance administrators can create and manage entitle- 
ments. However, they might not know all the scenarios where access packages are required. Users 
from the respective departments know what resources are required to perform a job and for how 
long. You can identify non-administrators for these departments and delegate access gover- 
nance. Delegating to non-administrators ensures that the right people are managing access. 


It is important to understand the roles that are specific to entitlement management. 


Table 4-1 lists the tasks that the entitlement management roles can perform. 


= Catalog creator: Creates and manages catalogs. Catalog creators own the catalog they 
created and can add more catalog owners. However, they can't manage or add resourc- 
es to other catalogs that they don't own. 
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= Catalog owner: Can edit and manage existing catalogs. 


= Catalog reader: Can view existing access packages within a catalog. 


m Access package manager: Can edit and manage all existing access packages with 


a catalog. 


= Access package assignment manager: Can edit and manage all existing access 
package assignments. 


= Approver: Authorized by an access package policy to approve or deny requests to 
that access package. They don’t have permission to change the access package. 


= Requestor: Authorized by a policy of an access package policy to request that 


access package. 


TABLE 4-1 


Task 


Delegate a catalog creator 
Add a connected organization 
Create a new catalog 

Add a resource to a catalog 
Add a catalog owner 

Edit a catalog 

Delete a catalog 


Delegate to an access pack- 
age manager 


Remove an access package 
manager 


Create a new access package 
in a catalog 


Change resource roles in an 
access package 


Create and edit policies 


Directly assign a user to an 
access package 


Directly remove a user from 
an access package 


View who has an assignment 
to an access package 


View an access package's 
requests 


Admin 


Entitlement management roles and tasks 


Catalog 
creator 


Catalog 
owner 


Access 
package 
manager 


Access 
package 
assignment 
manager 
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View a request’s delivery errors | x x x x 
Reprocess a request x x x x 
Cancel a pending request x x x x 
Hide an access package x x x 
Delete an access package x x x 


Administrators create a catalog, create access packages, and add required resources. An 
access package must have at least one policy. The policy specifies who can request access, who 
can approve the request, whether the approval is a single-stage or a two-stage process, how 
long the assignment is valid, whether users can request an extension and use access reviews to 
enable planned reviews of the users’ access. To see a list of access packages, users can sign in to 
the My Access portal (https://myaccess.microsoft.com). 


Create and configure catalogs 


A catalog is a container of resources and access packages. Administrators create a catalog, 
create access packages, and add required resources. To create a catalog, sign in to the Azure 
portal, select Identity Governance, and then select Catalogs. As shown in Figure 4-1, you can 
have a single catalog of all access packages or create separate catalogs. An administrator can 
add resources to any catalog, but a catalog owner can add resources to the catalog they own. 
A catalog owner can add catalog co-owners or access package managers. 


Catalog 
E 
Resources 
af of 
Security group Sales group 
T i 
Sed 


Security site Security app 


g Access package 1 


Security group resouce role 
Secuirty app resouce role 
Security site resource role 
Internal users policy1 


ẹ Access package 2 
Sales group resoure role 


Internal users policy 2 
External users policy1 


FIGURE 4-1 A catalog consists of 
resources and access packages. 
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Create a catalog: A Global administrator, Identity Governance administrator, or catalog 
creator can create a catalog. Sign in to the Azure portal, select Identity Governance, and 
select Catalogs from the left menu. As shown in Figure 4-2, select New Catalog and provide a 
name and description for the catalog. Choose options for Enabled and Enabled for external 
users, and then select Create to create the catalog. 


= Enabled: Select Yes to enable the catalog for immediate use. Select No if you want the 
catalog to be unavailable until you intend to use it. 


= Enabled for external users: Select Yes to allow users from the selected external direc- 
tory to request access packages in this catalog. Select No for the catalog to be unavail- 
able for users from an external directory. 


emance 


i i New catalog x 
(=) Identity Governance | Catalogs 


3 Getting started 


Entitlement management All 


è Access packages 

Name TL Description Acce 
E) Catalogs 

Test catalog Test catalog 1 
ĝa, Connected organizations 


General Built-in catalog 


9 Enabled C 
Access reviews a=» 

= bled for exter 
@ overview Enabled for exte 


FIGURE 4-2 Create a new catalog. 


Add resources to a catalog: You can include resources such as groups, applications, and 
SharePoint sites in a catalog, as shown in Figure 4-3. The resources must exist in a catalog to 
include them in an access package. Open Catalog and select Resources. As shown in Figure 4-3, 
Add resources provides options to select resources to add to the catalog. 


= Groups: Groups can be Azure AD security groups or Microsoft 365 groups. Groups that 
originate in on-premises or Exchange online as distribution groups cannot be modified 
in the Azure AD. 


= Applications: Azure AD enterprise applications that include both SaaS and LoB (Line- 
of-Business) applications integrated with Azure AD. 


m Sites: SharePoint online sites or SharePoint online site collections. 


Skill 4.1: Plan and implement entitlement management 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


287 


288 


Add resources to catalog 


Add different resources to this catalog. You will use this list of resources to create access packages Ihat users can request Learn more 7 
| + Groups and Teams = Applications + SharePoint sites 
Selected resources (4) 
Resource Description Type Sub Type 
lest Group lestGroup@ChilakapatiL. Group and leam Security iy] 
Daemon-console Applid ts d0105f3d-7 1ce- Application Application a 


Cisco AnyConnect Appid is 99 Applicatio Application 


Tes! Group hitps://chilakapatilab.sh Site 


FIGURE 4-3 Add resources to the catalog. 


Add access package to a catalog: As shown in Figure 4-4, you can add access packages to 
the catalog (all access packages must be in a catalog). A catalog defines what resources can be 
added to the access package. The access package is placed in the General catalog if a catalog 
is not specified. All access packages must have at least one policy. The policy defines who can 
request the access packages, who can approve the request, and lifecycle settings. 


Home Identity Governance New catalog 


=. New catalog | Access packages 
B g p g 


Catalog 
New access package == Column Ç) Refresh Êy Got feedback? 
© Overview 
Manage ~ Search by access package name 


HE Resources 

Name ty Description 
FS Access packages 

No access package exists 


Ro Roles and administrators 


FIGURE 4-4 Add access packages to the catalog. 


Create and configure access packages 


Administrators create access packages. Access packages bundle the resources with the access 
that a user needs to perform the job. To create an access package, sign in to the Azure portal, 
select Identity Governance, and select Access Packages. Instead of granting access to indi- 
vidual resources, access packages help to grant or remove access in a more appropriate way for 
the following resource types: 


= Membership of Azure AD security groups 
= Membership of Microsoft 365 groups and Teams 
m Assignment to Azure AD enterprise applications (including SaaS and custom apps) 


= Membership of SharePoint online sites 
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Access packages are more appropriate when: 

m Employees need limited access. 

m Access that requires a manager or designated individual approval. 

m Resources of a particular department are all grouped together. 

m Users from one organization need access to another organization's resources. 


Administrators can delegate non-administrators to create access packages with defined 
rules like who requests access, who approves access, and access expiration time. 


Create an access package: Sign in to the Azure portal, select Identity Governance, open 
the catalog, and select Access packages to create an access package, as shown in Figure 4-5. 
You can also select Access packages from the left menu. Select New access packages, provide 
a name and description, and select a catalog for the access package. At the bottom of the 
page is an option to create a new catalog. Refer to Figure 4-2 to create a new catalog or add 
an existing catalog. 


Home Identity Governance 


New access package 


"Basics Resource roles “Requests Requestor information “Lifecycle Custom extensions (Preview) Review ! create 


Access package 
Create a collection of resources that users can request access to, 


Name * New accesspackage 


Description* G New accesspackage 


Catalog * © General Y 


carn more. & Create new catalog 


FIGURE 4-5 Create a new access package. 


Resource roles provide options to add resources such as groups and Teams, applications, 
and SharePoint sites. If you create an access package in an existing catalog, you can select 
all the catalog resources without owning them. If you create an access package in a general 
catalog or anew catalog, you can select any resource from your own directory. You must be 
at least a Global administrator or catalog creator. After adding resources, select roles for these 
resources from the role list. 
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The Requests tab provides options to create the policy to specify who can request the access 
package and to configure approval settings. As shown in Figure 4-6, the Requests tab has 
three options: 


= For users in your directory: This option allows users and groups in your directory to 
request the access package. You can select only specific users and groups in your direc- 
tory or all users in your directory or all users and guest users in your directory request 
access to this access package. 


= For users not in your directory: This option allows users in connected organizations 
to request this access package. You can select specific connected organizations or all 
connected organizations or all users from all connected organizations, and any new 
external users can request access to this access package. 


= None (administrator direct assignments only): This option allows administrators to 
directly assign specific users to this access package. 


New access package 


Basics Resource roles “Requests Requestor information Lifecycle Custom extensions (Preview) Review + create 


Create a policy to specify who can request an access package, who can approve requests, and when access expires. Additional request policies can be created. Lea ore ct 


Users who can request access 


© For users in your directory @ For users not in your directory © None (administrator direct 
assignments only) 


@ Leam more about setting up policies for users not yet in your directory 


(®) Specific connected organizations 
©) All configured connected organ 
D. All users (All connected organizations + any new external users) 
Select connected organizations me 

d 7 O selected 

+ Add directories 

Approval 
"RESE © E 
Enable 
Enable new requests * Yes No 


FIGURE 4-6 Users who can request the access package. 
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Figure 4-6 shows a configuration to enable new requests. Enabling new requests allows 


users to request the access package. When disabled, users are not allowed to request the 
access package. 


Figure 4-7 shows the Requests tab approval section, where you can specify whether 


approval and requestor justification is required when users request this access package. The 


approval process has options to configure a single-stage or two-stage approval process. 
Single-stage approval has only one approver. The approver can be an internal or external 


sponsor or selected approvers. Selecting an internal or external sponsor gives the option to 
configure fallback approvers. For the two-stage approval, the selected approvers from each 


stage need to approve a request. 


New access package 


Require requestor justification C (Yes JG 
First Approver 
| Manager as approver v 
Fallback ( 
Add follback 
Decision must be made in haw many d 
] 
77 
= J 
Maximum 14 
Require approver justification 
C Yes J 


Second Approver 


| £ specific approvers v 


Select approvers 


Decision must be made in how many days? C 

— < 

| 14 | 
Maximum 14 


Require approver justification C 


FIGURE 4-7 Approval configuration in an access package. 


Configure Requestor information to collect information from the requestor. You can add 
questions and localization options. Enable Require access reviews to require answers when 


users request access to an access package. 
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Specify when the user's assignment expires and whether access reviews are required for the 
access package in the Lifecycle section, as shown in Figure-4-8. 


New access package 


™ Basics Resource roles "Requests Requestor information “Lifecycle Custom extensions (Preview) Review + create 


Expiration 


On date QUEERS See Number of hours (Preview) Never ) 


Access package assignments expire ( 


ents expire after (number of days) 


Allow users tu extend access 


Require approval to grant extension 


Access Reviews 
Require access reviews * No ) 


Startingon | 


Rewiew frequency © Weekly 


Duration (in days) © 25 


Maximum 80 


@) Selt-review 


ific reviewer(s) 


© Manager 
FIGURE 4-8 Access package Lifecyle configuration. 


In the Lifecycle Expiration section, you can configure the user's assignment to the access 
package to expire on a specific date, a certain number of days or hours after the assignment is 
approved, or never expire. By enabling users to extend access, users can request an extension 
of their access to this package before their access expires. Specify whether approval is required 
when users extend the access by enabling Require approval to grant extension. 


Enable access reviews for the access packages. Access reviews are the planned reviews of 
the users’ access granted to the organizational resources to perform the required job. User ac- 
cess needs to be reviewed regularly to ensure that the right people have the right access to the 
right resources. You will learn access reviews in detail in Skill 4.2. 


Configure custom attributes to enable automated custom workflows to trigger by access 
package. The use cases may support stages like the following: 


m When the request is created 
m When the request is approved 
m= When the assignment is granted 


m When the assignment is about to expire in 14 days or a day or when the assignment 
is removed 


You can use Azure Logic Apps to automate the custom workflows. 
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NEED MORE REVIEW? TRIGGER CUSTOM LOGIC APPS 


Read more about trigger custom Logic apps to automate the custom workflows at: 
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement- 
management-logic-apps-integration. 


In the Review + create tab, select Create to create the access package. 


Manage access requests 


Once the access package is created, administrators share the My Access portal link with the us- 
ers, or users can request the access packages by signing in to the My Access portal. Figure 4-9 
shows the My Access portal link in the access package overview page. When the administrator 
shares the My Access portal link with internal or external users, users can sign in to the My Ac- 
cess portal (https://myaccess.microsoft.com) to see a list of access packages they can request. 


© Test Access Package 


cess package 


Edt [J Delete 
® Overview 

Test Access Package 
Manage 

Test Access Package 
E Resource roles 
i= Policies 
B Separation of Duties (Preview) 


Properties 


A Assignments is 


Created by Created on Object Id 


[E Requests 


edmin@ChilakapatiLab.onmicrasoht.... 1/29/2022 f39b490-9399-439e-9917- 


Hidden C 


Contents 
Resource roles Policies 
T Croup: s 2apps 1570 T instied O disabies 


FIGURE 4-9 Access package My Access portal link. 


Users request access to an access package. Administrators assign users to an access 
package. All users receive an email that includes a link to the access package, or they can sign 
in to the My Access portal (https://myaccess.microsoft.com) to see the list of access packages 
they can request, as shown in Figure-4-10. 
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Available (2) Active (0 


Name T 


E Access package Access packages 


SharePoin 


Test Access Package 


Test Access Package 


Resources (4) 


pired (0) / Groups (1) 


Description Rite suet Maurer 


Cisco AnyConnect 
499 g 


Thf-4e%n-Sda8 


© « 
© 


FIGURE 4-10 Users request access packages from the My Access portal. 


Administrators assign approvers to an access package. After users complete submitting 
requests for an access package, approvers receive an email that includes a link to approve 
or deny the requests. The approver can either click the link to sign in to the My Access portal 
or sign in directly to the My Access portal (https://myaccess.microsoft.com) and navigate to the 
Approvals tab, as shown in Figure 4-11. 


My Access ~ 


ccess p Approvals 


2 pending 


Pending History 


Name 


LP Search approvals 


Requested . 


Access request 


Test access package 


Requeste Due by 


Provide reason * 


Secunty team member 


Approve Deny 


FIGURE 4-11 Approvers approve users, access package requests. 
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Implement and manage Terms of Use 


Azure AD terms of use policies provide organizations with a simple way to present the infor- 
mation to their users. It requires users to accept and agree to the terms before accessing the 
organizations’ sensitive resources. Terms of use policies ensure that users are aware of the 
organization's terms and conditions. 


The terms of use policy can be a general policy or a specific policy. For example, a policy 
for a dynamic group or a policy for users accessing high-business-impact applications like 
Salesforce. Terms of use policies use the PDF format to present the content. To support users 
on mobile devices, the recommended font size in the PDF is 24 points. 


A Global administrator, Security administrator, or Conditional Access administrator has 
permissions to create terms of use. Sign in to the Azure portal and navigate to Identity Gov- 
ernance to find the Terms of use in the left menu or navigate to Conditional Access under 
Security to find the Terms of use. Select New terms of use to create new terms of use. Figure 
4-12 shows the “New terms of use” template. When the “New terms of use” template opens, give 
a name to the new terms of use. Upload a terms of use document, select a language, and enter a 
display name. Multiple terms of use policies can be uploaded, each with a different language. 


Set Require users to expand the terms of use to On to require that users expand and 
view the terms of use policy before accepting them. To require users to accept the terms of use 
on every device, set Require users to consent on every device to On. 


New terms of use 


rr 
; & 
on) 
aD 
D 
ETD 
nditiona: 
Or p 
[Eae 
FIGURE 4-12 Create terms of use. 
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Admins can set an expiration date and frequency for terms of use policies using Expire con- 
sents. If Expire starting on is configured to today’s date, and the frequency is monthly, users 
must accept the terms of use policy and reaccept it every month. For example, if Mike accepts 
the terms of use policy on Jan 1st, the first expiration date is Feb 1st and the second expiration 
date is March 1st. If Mike accepts the terms of use policy on Jan 15th, the first expiration date is 
Feb 1st, and the second expiration date is March 1st. 


For the Duration before re-acceptance required field, specify the number of days before 
the user must reaccept the terms of use policy. Users may follow their own schedule. For ex- 
ample, if you set the duration to 30 days, if Mike accepts the terms of use policy on Jan 1st, the 
first expiration date is Feb 1st and the second expiration date is March ‘st. If Mike accepts the 
terms of use policy on Jan 15th, the first expiration date is Feb 14th, and the second expiration 
date is March 16th. 


It is possible to use constants and Duration before re-acceptance required settings 
together, but typically you use one or the other. 


The Enforce conditional access policy with templates menu has options to create the 
conditional access policy later or create a custom policy. Selecting a custom policy opens a new 
conditional access template. As shown in Figure 4-13, you can find the new terms of use policy 
in the conditional access policy access controls. 


ome > Identity Governance Grant x 


authentic: 


Require device to be marked as 


Assignments compliant © 


Users or workload identities 


Conditions © 


Enable policy 


(Report only oh Of 


FIGURE 4-13 The Conditional Access policy shows terms of use. 
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When users accept or decline the terms of use policy, the number will be shown for each 
terms of use policy, as shown in Figure 4-14. Select the number to view the user activity, such as 
the number of users who have accepted or declined the terms of use. 


To view the terms of use audit logs, select View audit logs. 


ew, Identity Governance | Terms of use 2 » x 


t New terms iew audit logs Êr Got feedback? 


f Getting started 


Entitlement management Name Ty Accepted ty Declined ty 


FIGURE 4-14 Terms of use details. 


EXAM TIP 
Make sure you have a clear understanding of how the terms of use policy expiration date, 


duration, and frequency works. 


Manage the lifecycle of external users in Azure AD Identity 
Governance settings 


Granting access to external users and managing their access lifecycle is challenging. Since they 
are external users, you never know whether they continue in the same external organization or 
leave the organization. Keeping their access settings eventually ends up creating unused, stale 
accounts. Azure AD entitlement management can allow or block external users from signing in 
to the directory based on external users’ sign-in activity. 

A Global administrator, Identity Governance administrator, or User administrator can con- 
figure the entitlement management settings. 

The Entitlement management setting Block external users from signing in to this direc- 
tory blocks them from signing in if they lose their last assignment to any access package. If 
a user is blocked from signing in to your directory, the user will not be able to re-request the 
access package or request additional access. 

As shown in Figure 4-15, set Block external users from signing in to this directory to 
No for external users to request access to other access packages. 

To remove the guest user account from your directory for a user who has lost their last 
assignment to any access package, set Remove external user to Yes. 
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it Identity Governance | Settings 


2 Cancel 
* Getting started 


Manage the lifecycle of external users 
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directory through an ac 
assignment to any access package 


s package request, loses their last 
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[ Catalogs 

Bloc! 
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emal user from signing (GGI No 
directory = g 


Ra Connected organizations 
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Remove external user Yes No 
% settings = = 
Number of days before remov 0 
Access reviews external user from this directory 
@ Overview 


FIGURE 4-15 Entitlement management settings. 


Configure and manage connected organizations 


Entitlement management has the capability to select external organizations as connected 
organizations. Users from the connected organizations can request access, and if their access 
is approved, they are automatically invited to your organization. When their access expires, if 
they have no access package assignment, their account gets deleted automatically. There are 
three ways to specify the users from the connected organizations: 


m Users in another Azure AD directory 
m Users in another non-Azure AD directory, configured for direct federation 


m Users in another non-Azure AD directory, whose email addresses have the same 
domain name 


Figure 4-16 shows that Contoso has two connected organizations: Fabrikam and Wood- 
grove. Fabrikam uses Azure AD, and Woodgrove is a non-Azure AD directory. Users from the 
connected organizations are allowed to request access packages. Users with a user principal 
name that has a domain of woodgrove.com or fabrikam.com matches with Contoso connected 
organizations and are allowed to request access packages. Since Fabrikam uses Azure AD, users 
with a user principal name that matches with a verified domain added to a Fabrikam tenant, 
such as Fabrikam.in, can also request access packages by using the same policy. If email one- 
time passcode (OTP) authentication is turned on, users from these domains who do not yet 
have Azure AD accounts will authenticate using email OTP when accessing Contoso resources. 
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FIGURE 4-16 Access packages for users from connected organizations. 


As shown in Figure 4-17, connected organizations have two states: configured and proposed. 
A configured connected organization is fully functional and allows users within that organiza- 
tion to request access packages. They will show up in the connected organizations picker and 
be in scope for any policies targeting All configured connected organizations. If a connected 
organization has a state of proposed, the administrator has not created or approved the con- 
nected organization. For example, if a user signs up for an access package outside of configured 
connected organizations, any automatically created connected organizations will be in the pro- 
posed state. Proposed connected organizations are not in scope for All configured connected 
organizations. Refer to Figure 4-17 to configure connected organizations. 


Ba Identity Governance | Connected organizations 


+ Add connected organizaton 4 Download C) Retresh A? Got teedback 
Getting started 
Entitlement management [2 Search by name 
è Access packages P 
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FIGURE 4-17 Connected organizations. 


Review per-user entitlement by using Azure AD entitlement 
management 
Entitlement management helps to view who has been assigned to access packages, policy, and 


status. If an access package has an appropriate policy, you can assign the user directly to the 
access package. 


A Global administrator, Identity Governance administrator, User administrator, catalog 
owner, access package manager, or access package assignment manager can view, add, or 
remove assignment for access packages. 
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To view who has an assignment, sign in to the Azure portal, navigate to Identity Gover- 
nance, select Access Packages, and open an access package. As shown in Figure 4-18, select 
Assignments in the left navigation to see a list of active assignments. 


Q New Access Package | Assignments x 
New assignment =~ Download (Previe x Remove Refresh evie 
© overview 
Manage 
Name t4 UPN ta Policy ty Status ty End date 
É Separation of Duties C] padmapjs m 
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~] Chns Green chrisg@chilakapatilab... Initial Policy Delivered 7/16/2023, 7:09:23 AM °** 
test ga delivered 
[_] lightning mac 7/16 
gO ev user 
m n 
[_] shates hatestuse hilakap 23, 7:09:21 A 
Assignment details (x] 
a 
Name Policy 
UPN onmic Assignment starts 7/16/21 19:23 AM 
Assignment ends 16/2023, 709:23 AM 
Assignment ID gf- 
Status 


FIGURE 4-18 Assignments in an access package. 


Select a specific assignment to view additional details. Select Requests on the Manage list 
on the left to see additional details regarding user requests and delivery errors. To download 
a CSV file of the filtered list, click Download. To remove an assignment, select a user and click 
Remove access. 


Configure separation of duties checks for an access package 


Users in an organization might have multiple policies with different settings, and sometimes 
users are granted excess permissions. Entitlement management separation of duties ensures 
only the amount of access to users needed to perform their jobs. Separation of duties helps 

configure that a user who is amember of a group or already has an assignment to an access 

package cannot request an additional access package. 


For example, there are two access packages for sales and sales reports. The sales access 
package gives access to all the resources for the sales department, including reports. The sales 
report access package gives access only to sales reports. The admin can configure separation 
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of duties for users from the sales department not to request access to the sales report access 
package. If a user from the sales department requests access to the sales report access pack- 
age, it restricts the access. 


A Global administrator, Identity Governance administrator, User administrator, catalog 
owner, or access package manager can create a separation of duties. As shown in Figure 4-19, 
sign in to the Azure portal, navigate to Identity Governance, select Access Packages, open 
an access package, and select Separation of Duties. 


a a Access packages x 
New Access Package | Separation of Du 


F Add access package T A 
Incompatible access packages 


] Resource roles Name 


Selected access Packages 


No access Packages selected 


FIGURE 4-19 Create separation of duties. 


Skill 4.2: Plan, implement, and manage access reviews 


Azure AD access reviews are the planned reviews of the user access granted to the organiza- 
tion resources to perform the required job. Users’ access needs to be reviewed regularly to 
ensure that the right people have access to the right resources at the right time. It helps miti- 
gate access risk by protecting, monitoring, and auditing access to the resources while ensuring 
employee and guest user productivity. 


An Azure AD P2 license is required to perform access reviews. The organization needs P2 
licenses for users who are performing the following tasks: 


m Users who are assigned as reviewers 
m Users who perform a self-review 
m Users as group owners who perform an access review 


m Users as application owners who perform an access review 
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An Azure AD P2 license is not required for users with the Global Administrator or User 
Administrator roles to set up access reviews and configure settings. 


Using access reviews, organizations can: 

m Schedule regular or ad-hoc reviews to see who has access to what resources 

m Delegate reviews to admins, business owners, or self-attest for continued access 
= Automate review results, such as removing users’ access to resources 


m Track reviews for insights or compliance 


This skill covers how to: 

m Plan for access reviews 

m Create and configure access reviews for groups and apps 

= Create and configure access reviews for access packages 

m Create and configure access reviews for Azure AD and Azure resource roles 
m Create and configure access review programs 

= Monitor access review activity 


m Respond to access review activity, including automated and manual responses 


Plan for access reviews 


Planning access reviews before implementing them is essential for achieving a desired gover- 
nance strategy for employees and guest users in your organization. To achieve a desired strategy: 


m= Engage the right stakeholders. 

m Plana pilot. 

m List the resource types to be reviewed. 

= Identify reviewers to review access. 
Engage the right stakeholders 


Engaging the right stakeholders is critical to achieve the desired impact, outcomes, and responsi- 
bilities. For access reviews, you would likely include representatives from the following teams: 


m IT administrator — who manages your IT infrastructure, cloud investments, and Software 
as a Service (SaaS) apps 


= Development teams — who build and maintain apps for your organization 
m Business units —who manage projects and own applications 


= Corporate governance — who ensures that the organization is following internal policy 
and complying with regulations 
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Plan a pilot 


It is highly recommended to plan pilot access reviews with a targeted small group of non- 
critical resources. Based on the pilot results, you can adjust the processes and communication 
as needed. 


Recommendations for planning a pilot include: 


Start with reviews where results are not automatically applied. 


Ensure that all users have a valid email address to receive email communications to take 


appropriate actions. 


Document any changes you made as part of the pilot, such as removing an access. 


Monitor audit logs to ensure all events are properly logged. 


List of resource types to be reviewed 


Resources such as users (both internal employees and external users), applications, and groups 


can be managed and reviewed through access reviews. 


Typical targets for access reviews include: 


User access to applications — SaaS or line-of-business (LOB) applications that are inte- 


grated with Azure AD for single sign-on 


Group membership — groups that are synchronized to Azure AD or created in Azure AD 


or Microsoft 365, including teams 


Access packages — resources like groups, applications, and sites 


Azure AD roles and Azure resource roles — roles that are defined in Privileged Identity 


Management (PIM) 


Table 4-2 lists the administrative roles required to create, manage, or read an access review. 


TABLE 4-2 Administrative roles to create, manage, and read access reviews 


Resource Type 


Group or application 


Access packages 


Create and manage access reviews 


Global administrator 
User administrator 
Identity Governance administrator 


Privileged Role administrator (only per- 
forms reviews for Azure AD role-assign- 
able groups) 


Group owners (if enabled by an admin) 


Global administrator 

User administrator 

Identity Governance administrator 
Catalog owner (for the access package) 


Access package manager (for the access 
package) 
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Read access review results 


Global administrator 

Global reader 

User administrator 

Identity Governance administrator 
Privileged role 

Security reader 

Group owners (if enabled by an admin) 


Global administrator 

Global reader 

User administrator 

Identity Governance administrator 
Catalog owner (for the access package) 


Access package manager (for the access 
package) 
Security reader 
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Azure AD roles Global administrator Global administrator 
Privileged role administrator Global reader 

User administrator 
Privileged role administrator 
Security reader 


Azure resource roles | User access administrator (for the resource) | User access administrator (for the resource) 
Resource owner Resource owner 
Reader (for the resource) 


Identify reviewers to review access 


While creating access reviews, the creator decides who will perform the review. The access 
review creator can modify this setting at any time even once the review is started. Three people 
typically represent reviewers: 


m Resource owners — business owner of a resource 
= A set of individually selected delegates — selected by the access review creator 
m An end user - self attests for continued access 


Before implementing the access reviews, plan the types of reviews relevant for your organiza- 
tion. The following information is required to create an access review policy: 


m What resources must be reviewed? 

m= Whose access is being reviewed? 

= How often should the review occur? 

= Who will perform the review? 

= How will reviewer be notified to review? 

m What are the timelines to be enforced for review? 

m What happens if the reviewer doesn’t respond in time? 

m What automatic action should be enforced? 

m What manual action will be taken based on review results? 


m What communications should be sent based on actions taken? 


Plan access reviews for groups 


Assigning access to resources via groups, either Security groups or Microsoft 365 groups, 
and reviewing group membership effectively governs access. The group can be assigned to 
resources or to an access package that groups resources. With this you can review access to 
groups rather than users’ access to each application. Consider the following while planning 
reviews for groups: 


m Review group ownership 
m Review membership of exclusion groups in conditional access policies 
m Review guest users’ group membership 


m Review on-premises groups membership 
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Plan access reviews for applications 


To perform a job, users and external users need access to the applications. It is a good govern- 
ing process to have regular verifications for user access to the applications. This shows who 
has access to what specific applications instead of an access package or a group. Consider the 
following scenarios while planning reviews for applications: 


m Users granted access to the application (not through a group or access package) 


m Sensitive and critical applications 


m Applications that have specific compliance requirements 


To create access reviews for an application, in the application Properties set the 
Assignment required? option to Yes, as shown in Figure 4-20. If it is set to No, all users will be 
able to access the application, but you cannot review the access. 


Home > Contoso 


Enterpnse a tions 


w | Properties 


1! ServiceNo 


Ê] Delete 


iE Overview 


m Deployment Plan settings, and u: 


Administrator 


Manage 
Enabled for users to sign in? © 
Il! Properties 
O Name * © 
& Owners - 


& Roles and administrators Homepage URL © 


& Users end groups Logo © 


D Single sign on 
D Provisioning 


© Self-service 
User access URL © 


Security Application ID C 


© Conditonal Access Object 1D © 


Renmisxione Terms of Service Uri © 
© Token encryption 


Privacy Statement Uri © 
Activity 

Reply URL C 
D Sign-in logs 


Aye Assignment required? © 
ity Usage & insights 5 


fa Audit logs Visible to users? © 


A? Got teedback? 


http://www.servicenow.com/ by | 
now 
Select a file a 


https//myapps-microsaft.com/signin/2h46e704-5703-4fe3-a7h7-9966... > 


2b46e704-5703-4fe3-a7b7-99666fad0c75 D 


Badff3 id-19d7-4de0-2631-fde04095b04e D 


Publisher did nat provide this information D 


Publisher did nat provide this information D | 
Publisher did not provide this information D 
No 
No) 


FIGURE 4-20 Set “Assignment required?” to Yes to create access reviews for an application. 


Plan access reviews for access packages 


An access package is a bundle of all the required resources (groups, applications, or SharePoint 
sites) for a user to perform the task. Enable access for access packages and perform periodic 
reviews to reduce the risk of stale (unused) access. Access reviews can be configured while 
creating a new access package or while editing an existing access package. 
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Plan access reviews for Azure AD roles and Azure resource roles 


To increase the overall security posture of the organization, it is recommended to have privi- 
leged access to the resources. Privileged identity management (PIM) helps ensure privileged 
access with Azure AD roles and Azure resource roles. Access reviews are available to review 
user eligibility for these roles and attest which users need to be in a role. The following privi- 
leged roles are recommended to have access reviews regularly: 


= Global administrator 

m Use administrator 

m Privileged authentication administrator 
= Conditional access administrator 

m Security administrator 


= Microsoft 365 and Dynamics service administration roles 


EXAM TIP 


Remember the supported resource types and the required administrative roles to create, 
manage, and read access reviews. 


Create and configure access reviews for groups and apps 


When employees move teams or new applications are added, employee access to the groups 
and applications changes over time. Creating access reviews to review user access periodically 
reduces the risk of stale access assignments. 


An Azure AD Premium P2 license is required to create access reviews. A user with a Global 
administrator, User administrator, or Identity Governance administrator role is required. 


To create an access review, sign in to the Azure portal and select Identity Governance. 
Select Access Reviews from the left menu and create a new access review by selecting New 
access review. As shown in Figure 4-21, click the Select what to review dropdown menu to 
view the options for Teams + Groups and for Applications. 
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Home > Identity Governance 


New access review 


*Review type 


Schedule an access 


iew to ensure the right people have the right access to ac 


s, apps 


Learn mor 


Select what to review * Select Review {v 


Teams + Groups 


FIGURE 4-21 Access review showing options to select Teams + Groups or Applications. 


Figure 4-22 shows that selecting Teams + Groups offers two additional options. 


Select All Microsoft 365 groups with guest users to create reviews for all guest users 
across Microsoft Teams and Microsoft 365 groups in your organization. Dynamic groups and 
role-assignable groups are not included. You can exclude groups by selecting Select group(s) 
to exclude. 


Select Teams + groups to create reviews for teams or groups. 


New access review 


"Review type * Reviews 


Schedule an access review to ensure the right people have the right access to access packages, Groups, apps, and privileged roles 
Select what to review * Teams + Groups v| 
elect review pe 2 vest use 
oup 
pe* ©) Gue: nh 


FIGURE 4-22 Configure teams and groups. 


307 


Skill 4.2: Plan, implement, and manage access reviews 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


As shown in Figure 4-23, selecting Applications provides the option to select applica- 
tions to review. Selecting multiple groups or applications creates multiple access reviews. For 
example, selecting three groups to review results in creating three different access reviews. 


Select application x 
New access review 


"Review type "Reviews 


3-21¢6-4895-8e71-f21035¢7dafe 
Schedule an access review to ensure the right people have the right acce: 


vain more 


379-9d59/{259397 


Select what to review * 


AWS Single-Account Access 


39be-e811-43f9-ba1a-bf52f08cat11 
Application * + Select a at 


Selected applications 


No applications selected 


FIGURE 4-23 Configure application in an access review. 


Figure 4-24 shows the Reviews tab options to select reviewers and timelines. You have 
options to select Group owner(s), Selected user(s) or groups(s), Users review their own 
access, or Managers of users. You will need to provide a fallback reviewer if you choose either 
Group owner(s) or Managers of users. Fallback reviewers perform access reviews when a group 
doesn’t have an owner or a user has no manager. 


Home Identity Governance 


New access review 


Review type  * Reviews 


Determine review stages, reviewers, anc timeline below 


Specify reviewers 


Select reviewers * bad 


A z Group owner(s) 
Specify recurrence of review 


Selected user(s) or group(s) 
Duration (in days) * 


Users review their own access 


Review recurrence * 
Managers of users 


Start date * | 01/15/2022 


FIGURE 4-24 Configure reviewers in an access review. 
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Figure 4-25 shows a Specify recurrence of review section to configure review Duration, 
Review recurrence, and Start date and End date of an access review. 


Duration (in days) - Number of days a review is open for input from reviewers 


Review recurrence — This provides the option to specify review frequency, such as One 
time, Weekly, Monthly, Quarterly, Semi-Annually, and Annually. 


Start date — Specifies when the series of reviews begins 


End date- You can create an access review with no end date or end ona specific date 
or specify a number of occurrences. 


Based on the duration, review recurrence options are available to avoid overlapping 


reviews. For example, the maximum duration that you can set for a monthly review is 27 days, 


and for a weekly review the maximum is 6 days. 


End 


New access review 


“Review type “Reviews Settings “Review + Create 
Determine review stages, reviewers, and timeline below 


Specify reviewers 


Select re rs * | Group owner(s) {v 
Fallback reviewers © + Select fallback reviewers 

Specify recurrence of review 

Duration (in days) * 10 
Review recunence * 


Start date * | 02/07/2022 


Occurrences 


Identity Governance 


Never 
_) End on specific date 


@) End after number of occurences 


FIGURE 4-25 Configure access review duration. 
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The Settings tab (as shown in Figure 4-26) has information related to decision helpers, 
completion, and advanced settings. 


Home identity Governance 


New access review 


"Review type “Reviews Settings “Review + Create 


Set additional information regarding your access review such as decision helpers, completion and advanced settings. 
Upon completion settings 


Auto apply results to resource © 


don't respond 


Action to apply on denied guest users © | Remove user's membership from L.. w 


At end of review, send notificatiot 


Enable reviewer decision helpers 


No sign-in within 30 days 


Advanced settings 


Justification required © 
Tmail natitications G 
Reminders © 
Additional content tor reviewer emai 


FIGURE 4-26 Configure access review settings. 


Selecting the Auto apply results to resource checkbox automatically removes access of 
denied users after the review duration. If the checkbox is not selected, you will have to manu- 
ally remove access of a denied user when the review finishes. 


The If reviewers don’t respond setting helps decide what would happen to the access 
of the user if the reviewer didn't complete the review within the review period. This setting 
doesn't apply to users for whom a reviewer completed the review. The available options are: 


m No change: Leaves user's access unchanged 

m Remove access: Removes user's access 

m Approve access: Approves user's access 

m Take recommendations: System recommends approving or denying user's access 


The Action to apply on denied guest users setting provides options to specify what hap- 
pens to guest users if the reviewer denies their access. The following options are available: 


m Remove user's membership from the resource: removes denied guest user's access to 
the resource. 
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m Block user from signing in for 30 days, then remove user from the tenant: blocks denied 
guest users access from signing-in after the review ends. If the blocked guest users are 
not re-granted access within 30 days, they will be removed from the tenant. 


Select the No sign-in within 30 days checkbox for reviewers to receive recommendations 
during the review process. When enabled, the system recommends that reviewers deny users 
who have not signed in within 30 days. 


Select the Justification required checkbox if the reviewer is required to supply a reason for 
approval or denial. 


Enable Email notifications to send reviewers email when an access review starts and send 
the review owners email when a review is completed. 


Enable Reminders to send a reminder email to all reviewers at the midpoint of the review 
period. The content of the emails to reviewers is autogenerated based on review details, such as 
review date, resource, and due date; however, if you need to communicate additional informa- 
tion, you can specify the details in the Additional content for the reviewer email text box. 


In the Review + Create section, provide a name to the access review, give a description, 
review the information, and create an access review. 


After successfully creating an access review, you can see the new access review under the 
Access reviews section, as shown in Figure 4-27. 


N Identity Governance | Access reviews 


New access review Columns ©) Refresh 5? Got feedback? 


Getting started 


Entitlement management Type 


Name 4 Resource Status + Warning Created On 


Application AR Complete 379/2022 


Active 2/9/2022 


Access reviews Review Security group mem Active 17/2022 
© overview Review gue: e Active 
a Access reviews 
Review t Active 17/2022 
(© Programs 
Ga s Review of Security group m. \ctive 


Settings 


FIGURE 4-27 List of access reviews. 


Create and configure access reviews for access packages 


Skill 4.1 covered access packages in detail. Enabling access reviews for access packages is rec- 
ommended to reduce the risk of stale access. Access reviews can be configured while creating a 
new access package or editing an existing access package. 
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A Global administrator, Identity Governance administrator, User administrator, catalog 
owner, or access package manager can create access reviews for the access packages. 


As shown in Figure 4-28, use the access packages Lifecycle tab to configure access reviews. 
Set Requires access reviews to Yes. Specify the date the reviews will start next to Starting 
on. Review frequency has options to configure annually, bi-annually, quarterly, monthly, and 
weekly. Set the Duration (in days) to define how many days each review of the recurring series 
will be open for input from reviewers. For example, if the review frequency starts on March 1st 
and the duration is set to 30, the review will be open for reviewers to respond to until the end 
of the month. 


Access reviewers can configure users to perform a self-review or select a specific reviewer to 
perform the review, or the user's manager can perform access reviews. The setting If review- 
ers don’t respond helps decide what would happen to the user access if the reviewer didn't 
complete the review within the review period. This setting doesn’t apply to users for whom a 
reviewer completed the review. The available options are: 


m= No change: leaves user's access unchanged 
m Remove access: removes user's access 
m Take recommendations: system recommends approving or denying user's access 


Set Show reviewers decision helpers to Yes for reviewers to receive recommendations 
during the review process. When enabled, the system recommends reviewers deny users who 
have not signed in within 30 days. Set Require reviewer justification to Yes if the reviewer is 
required to supply a reason for approval or denial. 


New access package 


Basics Resource roles “Requests Requestor information *Lifecycle Custom extensions (Preview) Review + 


Access Reviews 


aquire rewewer justiheahon 


FIGURE 4-28 Configure access reviews for an access package. 
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Create and configure access reviews for Azure AD and 
Azure resource roles 


You will learn Privileged Identity Management (PIM) for Azure AD and Azure resource roles in 
Skill 4.3. To reduce the risk associated with stale role assignments, it is recommended to regu- 
larly review access. 


A Global administrator or a Privileged role administrator can create access reviews for Azure 
AD roles. A resource owner or user access administrator (for the role) can create access reviews 
for the Azure resource roles. 


Select Azure AD roles or Azure resources under Privileged Identity Management. Select 
Access Reviews under the Manage section to create a new access review, as shown in Figure 
4-29. Provide a name, description, start date, frequency, start date, end date, and scope. 


m Start date - Specifies when the series of reviews begins. 


m Frequency — This option specifies review frequency, such as One time, Weekly, Monthly, 
Quarterly, Semi-Annually, and Annually. 


= Duration (in days) - Number of days a review is open for input from reviewers. 


m End date- You can create an access review with no end date or end on a specific date or 
specify the number of occurrences. 


m Scope -Determines whether Azure AD role users and role-assignable groups will be in- 
cluded. For Azure resource roles users and groups assigned to Azure, resource roles are 
in scope. It shows the option to select Service principals to review the machine account 
with direct access to either the Azure AD roles or Azure resources. 


Select privileged roles and reviewers to create access reviews for Azure AD or Azure 
resources roles. 


Contoso | Access reviews 


Access reviews for Azure AD directory roles 


Tasks Role Owner Start Date Ty End Date ty Status 


a My roles Access reviews for security role 


Applicaton Adminstrator z 2/12/2022 3/14/2022 Active 


gnments 


FIGURE 4-29 Configure access reviews for Azure AD roles. 
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Create and configure access review programs 


The new access review appears in the access reviews list with the date created and status. After 


the review starts, Azure AD sends emails to reviewers. 


You can modify or update access review settings after access reviews start. While updat- 
ing access reviews, you can add or remove primary reviewers, but fallback reviewers are not 
removable. If you want to remind your reviewers at the review period midpoint, enable the 
Reminders option under Advanced settings, as shown in Figure 4-30. 


Access review details | Settings 


O Overview 


General Reviewers Scheduling When completed 


Current 


ew name * Review of Security group membership 


Advanced settings 
fail notifications CID Disable 
Reminders ( Enable MEAE 


FIGURE 4-30 Update access review settings. 


Access reviews can be implemented programmatically using the access review API 
in Microsoft Graph. The access review methods for both application and user contexts 
are available in Graph API. For an application context, the account must be granted the 
AccessReview.Read.All permission. 


Access review tasks that can be automated using Graph API include: 

m Create and start access review 

m List all access reviews that are running and their status 

m End an access review before its scheduled time 

m Review access reviews history, decisions, and actions performed in each review 


m Collect decisions from an access review 


NEED MORE REVIEW? ACCESS REVIEW GRAPH APIS 


Read more about access reviews Graph APIs at https://docs.microsoft.com/en-us/graph/api/ 
resources/accessreviewsv2-overview?view=graph-rest-1.0. 


CHAPTER4 Plan and implement an Identity Governance strategy 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Monitor access review activity 


After the access review process starts, the designated reviewer performs an access review from 
the notification email or login to the My Apps or My Access portal. 


Perform the access review 
The reviewers can open access reviews from an email, the My Apps portal, or the My 
Access portal. 

Open access review from email: Microsoft sends a notification email to the reviewer after 
creating and starting access reviews. As shown in Figure 4-31, the email consists of review 
details like review date, resource, due date, and a Start review link. The reviewer can select the 
Start review link to open the access review. 


Contoso 


Please review access to the Test Group group in 
Contoso 


Chris Green, your organization requested that you approve or deny continued 
access to the Test Group group in the Review Security group membership review. 
The review period will end on January 21, 2022. 


Learn how to perform an access review and more about Azure Active Directory 


access reviews. 


FIGURE 4-31 Email notification to reviewer. 


Open access review from My Apps portal: The reviewer can sign in to the My Apps por- 
tal, https://myapps.microsoft.com, and click the user at the upper-right corner of the page to 
select the organization that requested an access review. As shown in Figure 4-32, at the upper- 
left corner, select the My Apps dropdown and select My Access to log in to open the My Access 
portal. Select Access reviews on the left side to open the access review. 


My Apps v 


@ Apps view cust “S My Account Ean ne 


FIGURE 4-32 My Apps portal. 
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Open access review from My Access portal: The reviewer can sign in to the My Access 
portal, http://myaccess. microsoft.com, and select Access reviews on the left side to open the 
access review, as shown in Figure 4-33. 


Gel Access packages Access reviews 


) Request history ESENS 


R Approvals (1) 
Groups and Apps Access packages 


Æ Access reviews 


Name Due Resource Progress 


FIGURE 4-33 My Access portal. 


Access review shows the review due date, the resource under review, and the progress of 
the number of users reviewed over the total number of users. Open an access review to see the 
list of users in scope. 


There are two ways that a reviewer can approve or deny access: 
m= Manually approve or deny access 
m Accept system recommendations 


A reviewer reviews the list of users and decides whether to approve or deny users’ access. 
If the reviewer selects Don’t know for a user, the user gets to keep their access. The reviewer 
choice is recorded in the audit logs. The other reviewers will consider when they review the 
request. If the administrator requires a reason for the reviewer's decision, the reviewer must 
provide a reason in the Reason box. Until the access review ends, the reviewer can change 
their decision at any time. 


Azure AD generates recommendations based on the user's sign-in activity to make access 
reviews easier and faster. As shown in Figure 4-34, reviewers can view these recommendations 
and accept them with a single click. 
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© Access reviews 


Users access reviews 


Please review members of ‘Test Group’ See details 


“= Accept recommendations 


<. Deny 


Name Î Recommendation Decision Reviewed by 
Chris Green Approve System 
, Approved Details 
chnsg@chilaka Last signed in (Feb 9. 2022) less than 30 days Administrator 
dev user Deny System 
Don't ki Details 
devuser@pillar Last sign-in date unknown See Administrator i 
il. D Syst 
janu pillan eny Apeaowed System Details 
janupilla@pilla Last sign-in date unknown Administrator 
s, 
lightning mac f Deny PARERE System Details 
lightningmac@ Last sign-in date unknown Administrator 
Sha U. De Syster 
ee eee iia Denied E Details 
shauser@chilat Last sign-in date unknown Administrator 
hatest De Syst 
shatest user z ny Deiied ays! em Details 
shatestuser@d Last sign-in date unknown Administrator 


FIGURE 4-34 Reviewers can review access reviews in the My Access portal. 


Complete an access review 


Open the Azure portal access review Overview page to view the current instance of an access 
review, as shown in Figure 4-35. The information about reviews yet to take place will be shown 
under the Scheduled review section. 


Access review details | Overview x 
C stop D Reset v apply @ Delete 
© Overview 
A Essentials 
Manage 
Owner + System Admunistratorfadmin@ChilakapatiLab.onmucros... Scope + Everyone 
= Reams Group : Test Group Review status +: Active 
a Reviewers Access review period : 2/9/2022 - 2/12/2022 Selected reviewers : Selected users 
iB settings Object id | 759667e3-aca1-4759-3e23-513476db88d3 Description 
Recurrence type : One time 
Activity 
Progress 
audit logs 9 
Not renewed 
Accroved 
| 
Dont know 


FIGURE 4-35 Access review overview. 
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To view the results for a review, open the Results section. To view a user's access, type 
the display name or user principal name in the search box. To view the results of a completed 
instance of an access review that is recurring, open the review history and then select the spe- 
cific instance based on the start and end date. Clicking the Download button downloads the 
results of an access review, both in-progress and completed as a CSV file. 


If Auto apply results to the resource was enabled in the Upon Completion settings, auto 
apply will be executed once a review completes or the administrator manually stops the review. 
If Auto apply results to the resource was not enabled for the review, navigate to Review 
History after the review duration ends and click the instance of the review that you would like 


to apply. 


Manage licenses for access reviews 


Access reviews need an Azure AD Premium P2 license. The Global administrator or User admin- 
istrator roles who set up the access reviews configuration settings do not require an Azure AD 
P2 license. The P2 license is required for users who perform the following tasks: 

m Users or guest users who are assigned as reviewers 

m Users or guest users who perform a self-review 

m Users or guest users as groups owners who perform an access review 

m Users or guest users as application owners who perform an access review 

m Azure AD guest user access is based on a monthly active users (MAU) billing model 


Table 4-3 lists some example scenarios to help you determine the number of Azure AD P2 
licenses required for users to perform an access review, assign reviewers, or self-review. 


TABLE 4-3 Access review license model 


Scenario Number of licenses 


Access review has 100 users and 1 group owner. The 1 (1 reviewer) 
group owner is the reviewer. 


Access review has 100 users and 3 group owners. All 3 (3 reviewers) 
group owners are reviewers 


Access review has 100 users, and users self-review 100 (each license for a self-review) 

their access 

Access review has 100 users, and 50 guest users and 100 (each license for a self-review. Guest users are 
users self-review their access billed on a MAU basis) 


Access review has 5 users, and 95 guest users and us- | 5 (each license for a self-review. Guest users are billed 
ers self-review their access ona MAU basis) 


NEED MORE REVIEW? ACCESS REVIEW LICENSE REQUIREMENTS 


Read more about access review license requirements at: https://docs.microsoft.com/en-us/ 
azure/active-directory/governance/access-reviews-overview#license-requirements. 
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Respond to access review activity, including automated and 
manual responses 


While creating access reviews, you can configure a few settings to automate actions based on 
access review management tasks. 


New access review 


"Review type “Reviews Settings *Review + Create 


Configure additional settings, including decision helpers and email notifications, 


Upon completion settings 


If reviewers don't respond No change v 


No change 
At end of review, send notification to 


Remove access 


Approve access 


Enable reviewer decision helpers 


No sign-in within 30 days © & 


FIGURE 4-36 Access review “Auto apply results to resource” 
and recommendations settings. 


Enabling the Auto apply results to resource setting automatically removes denied users 
access after the review duration. The Don’t respond settings help determine what would 
happen to the user access if the reviewer didn't complete the review within the review period. 
Refer to Figure 4-36 for access review settings. 

This setting doesn’t apply to the users for whom a reviewer completed the review. The avail- 
able options are: 


= No change: Leaves the user’s access unchanged 

m Remove access: Removes the user's access 

= Approve access: Approves the user's access 

m Take recommendations: The system recommends approving or denying user's access 


By enabling Take recommendations, the system recommends reviewers deny users who 
have not signed in within 30 days. 


Access reviews help to review and clean up guest user access. While creating access reviews 
for groups and applications, you can choose to let the reviewer focus on Guest users only so 
that reviewers are given a focused list of external identities from Azure AD B2B that have access 
to the resource. Guest users can be granted access to different resources. They can be added 
to a group, invited to Teams, assigned to an enterprise app, assigned to an access package, or 
assigned to an Azure AD role and Azure resource. Refer to Figure 4-22 for guest user settings. 
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EXAM TIP 


Make sure you have a clear understanding of how the Azure AD P2 license works for access 
reviews. You can learn more about Azure AD licensing at https://azure.microsoft.com/en-us/ 


pricing/details/active-directory/. 


Skill 4.3: Plan and implement privileged access 


Privileged Identity Management (PIM) improves the security posture of an organization by 
protecting, managing, and monitoring access to the critical resources within an organization. 
PIM can target resources residing within an Azure subscription, Azure AD, and various other 
Microsoft Online Services, such as Microsoft 365. PIM helps mitigate the risk of non-essential 
and excessive access assignments to the important organizational resources by enabling 
just-in-time and workflow-based access activation. It also logs the access requests and assign- 
ments to privileged resources in the audit logs, which enables the organization to monitor and 
analyze these assignments closely. 


This skill covers how to: 


m Plan and manage Azure roles in Privileged Identity Management (PIM), including 
settings and assignments 


m Plan and manage Azure resources in PIM, including settings and assignments 
m Plan and configure privileged access groups 

m Manage PIM requests and approval processes 

m Analyze PIM audit history and reports 


m Create and manage break-glass accounts 


Plan and manage Azure roles in Privileged Identity 
Management (PIM), including settings and assignments 


PIM enables you to manage both custom and built-in Azure roles, including but not limited to 
Owner, User Access Administrator, Contributor, Security Admin, and Security Manager. 
To assign the Azure role: 
1. Sign in to the Azure portal with an account that has User Access Administrator or 
Owner role permissions. 


2. Locate the Azure AD Privileged Identity Management service and then select Azure 
resources, as shown in Figure 4-37. 
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ert ug.e E © Search resources, services, and docs (G+/) O Q $ © R DEFAULT DIRECTORY 


Home > Privileged Identity Management 
X 
è Privileged Identity Management | Azure resources # x 
WO Privileged Identity Management 
©) Refresh „© Discover resources T Activate role 
A. Quick start 
@ Resources are only visible when you have an active role assignment, and they are managed by PIM. Activate roles a 
Tasks or discover more resources using the buttons above Learn more about resource access in PIM. 
d My roles 
| © Search by resource name Resource type : Subscription Directory : Default Directory 
E My requests Resource Ts Parent resour... Resource type Members Rote 
ma 
RRs eee Visual Studio Ultimate with MSON - Subscription 4 325 


Š Review access 
Manage 
D Azure AD roles 
Ā Privileged access groups (Preview) 
J Azure resources 
Activity 
My audit history 


Troubleshooting + Support 


XK Troubleshoot 


. 


A New support request 


FIGURE 4-37 Azure resources management with Privileged Identity Management. 


Select the resource you would like to be managed with PIM—for example, 
an Azure subscription. 


Select Roles, as shown in Figure 4-38. 


ert ug.e i a © Search resources, services, and docs (G+/) 0 Q S © A DEFAULT DIRECTORY 


Home > Privileged Identity Management > Visual Studio Ultimate with MÐN 
9, Visual Studio Ultimate with MSDN | Roles # x 
G02 Privileged identity Management | Azure resources 
+ Addassignments ©) Refresh Ñ?) Got feedback? 
"i Overview 
arch by role name 
Tasks Role ti Active ti Eligible ty 
& My roles  AcrDelete 0 o 
EL Pending requests e AcrimageSigner 0 0 
Eh Approve requests $ AcrPull o o 
% Review access a AcrPush o o 
Manage a AcrQuarantineReader 0 0 
Š Roles p AcrQuarantineWriter o o 
ü Assignments æ AgFood Platform Service Admin 0 0 
E Alerts “ep AgFood Platform Service Contributor o 0 
SS Access reviews p AgFood Platform Service Reader o o 
@ Settings $ AnyBuild Builder 0 i} 
Activity m API Management Service Contributor 0 o 
BD Reccurceauck $ API Management Service Operator Role o 0 
B My audit æ API Management Service Reader Role 0 0 
© App Configuration Data Owner 0 0 
© App Configuration Data Reader o o 
æ Application Group Contributor 0 o 
a a 


FIGURE 4-38 Azure roles management with PIM. 
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5. Select the Add Assignments button from the top row. 


6. Selecta role (for example, Security Admin) and then assign it to an individual user or a 
group, as shown in Figure 4-39. 


Microsoft Azure A Search resources, services, and docs (G+/) 


KJ 
DEFAULT DIRECTORY P 


Home > Privileged Identity Management > Visual Studio Ultimate with MSA 


Add assignments ~ x 


Privileged Identity Management | Azure resources 


Membership Setting 


Resource 
Visual Studio Ultimate with MSON 


Resource type 
Subscription 


Select role © 


Security Admin {v 


Select member(s) + © 
1 Member(s) selected 


Selected member(s) C 


w Adam 
ÂA Adama: 


Remove 


EE ee 


FIGURE 4-39 Assign membership to an Azure role. 


7. Make this assignment either Eligible or Active, depending on the organization's needs, 
and set the start and end date for the assignment, as shown in Figure 4-40. 
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a 
DEFAULT DIRECTORY SP 


Home > Privileged identity Management > Visual Studio Ultimate with MSDN 


Add assignments x 


Privileged identity Management | Azure resources 


Membership Setting 


Assignment type © 
®) Eligible 


© Active 


Maximum allowed eligible duration is 1 year(s). 


Assignment starts * 
02/23/2022 m|| 7:55:46 AM 


Assignment ends * 
02/23/2023 ta || 7:5546 AM 


ETE e] om 


FIGURE 4-40 Azure Role assignment settings. 


Real-world cost benefit analysis for PIM 


O rganizations planning to use PIM should perform cost-benefit analysis by 
comparing the overall cost of PIM against the security and governance benefits 
it provides. For example, consider a large corporate bank, which has geo-dispersed 
staff worldwide and its need for governance around privileged identities. In this case, 
features like built-in workflows and auditing are vital for governance. In contrast, for 
a small brick-and-mortar business with limited operations, the organization might 
want to balance out the overall cost associated with Azure AD. In these scenarios, it is 
better to approach cost-benefit analysis from a holistic viewpoint including damages 
that may incur to the business in the absence of PIM, such as potential data breaches, 
which may happen over time due to lack of access reviews. 


You can use the Cost Analysis tool in Azure, which allows you to explore and analyze 
your organizational costs. It helps in understanding where costs occur over time and 
helps identify spending trends. More information on this subject can be found at 
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm- 
cost-analysis. 
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PIM licensing 


The organization needs P2 licenses for users who perform the following tasks: 


m Users assigned as eligible to Azure AD or Azure roles managed using PIM 


m Users who are assigned as eligible members or owners of privileged access groups 


m Users who are able to approve or reject activation requests in PIM 


m Users assigned to an access review 


m Users who perform access reviews 


An Azure AD P2 license is not required for users who perform following tasks: 


m Users who set up PIM, configure policies, receive alerts, and set up access reviews 


NEED MORE REVIEW? PIM LICENSING AND EXAMPLE SCENARIOS 


Read more about PIM licensing and practical scenarios at: https://docs.microsoft.com/en-us/ 


azure/active-directory/privileged-identity-management/subscription-requirements. 


Table 4-4 describes a few example licensing scenarios related to PIM. 


TABLE 4-4 PIM licensing scenarios example 


Scenario 


Contoso has 10 administrators for various departments, as 
well as 2 Global Administrators who configure and manage 
PIM. They made 5 administrators eligible. 


Northwind Traders has 25 administrators, of which 14 are 
managed through PIM. Role activation requires approval, 
and there are 3 different users in the organization who can 
approve activations. 


Configure PIM for Azure AD roles 


Licensing requirements 


5 licenses for the admin- 
istrators who are eligible 


14 licenses for the 
eligible roles and 3 for 
approvers 


Total licenses needed 


5 


17 


Privileged Identity Management (PIM) settings impact the user experience when they try to 
activate an Azure AD role. PIM configuration settings include MFA, activation duration, notifi- 


cation method, etc. 


To configure an Azure AD role setting: 


1. Sign in to the Azure portal with a user account that has Privileged Role Administra- 


tor role permissions. 


2. Locate the Azure AD Privileged Identity Management using the top search bar. 


3. Select the Azure AD roles located under the Manage section. 


4. Next, select the Settings option, as shown in Figure 4-41. 
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cei we © Search resources, services, and docs {G+/) 1 & OC @ * Senki DOECO 


Home > Default Directory 


B Default Directory | Settings #2 


Prevleged identity Management | Arure AD roles 


C Pending requests 


T Approve requests 


Qi Review access 


Manage 

& Roles 

& Assignments 

ER Aerts 

= Access reviews 

È Discovery and insights (Preview) 
® Settings 


Activity 
Resource audit 


E Myaudit 


Refresh AP Got feedback? 


D Search by role name 


Role 


Global Administrator 

User Administrator 

Service Support Administrator 
Partner Tier2 Support 

Directory Writers 

SharePoint Administrator 
Compliance Administrator 
Application Developer 

Security Administrator 

Intune Administrator 

Customer LockBom Access Approver 
Power BI Administrator 
Message Center Reader 
Desktop Analytics Administrator 


Cloud Device Administrator 


FF FF FFE F EEE EE EF 


Privileged Authentication Administrator 


FIGURE 4-41 Configure Privileged Identity Management settings for Azure AD roles. 


Select the Azure AD role for which you would like to configure the settings. 


Next, select Edit to modify the role settings, as shown in Figure 4-42. 


Microsoft Azure P Seaach resources, serdces, and docs 1G+/) Bl & OC © *# EVAL OMMECTORY 


Home > Default Directory 


Role setting details - User Administrator 


Privaeged identity Management | Azure AD roles 


2 tait 


Activation 


Setting 


Activation maximum duration (hours) 


Require justification on activation 


Require ticket information on activation 


On activation, require Azure MFA 


Require approval to activate 


Approvers 


Assignment 


Setting 


Allow permanent eligible assignment 


Expire eligible asnignments after 


Allow permanent active assignment 


Expire active assignments after 


Require Azure Multi-Factor Authentication on active assignment 


Require justification on active assignment 


Send notifications when members are 


FIGURE 4-42 Edit role settings for Privileged Identity Management of Azure AD roles. 
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7. Review the Activation related settings, as shown in Figure 4-43. You can also review 
details about these settings in Table 4-5. 


Microsoft Azure A Search resources, services, and docs (G+/) i S © F ———— S 
Home Default Directory Role setting details - User Administrator 
Edit role setting - User Administrator ~ x 


Privileged identity Management | Azure AD roles 


Activation Assignment Notification 


Activation maximum duration (hours) 


a_nn gaa —— {8 


On activation, require O None 
@) Arure MFA 


E Require justification on activation 


o Require ticket information on activation 


(CL) Require approval to activate 


FIGURE 4-43 Activation settings for Privileged Identity Management of Azure AD roles. 


TABLE 4-5 Activation settings 


Name Description 

Maximum duration | This is the maximum duration for the activation. You can set it between 0.5 and 24 hours. 
MFA You can select either no MFA or Azure MFA. 

Justification Business justification for the role activation. 

Ticket information | This is the ticket information—e.g., help desk or support—that led to the role activation. 


Approval This is the list of approvers who will be asked to approve the activation request. If no ap- 
provers are selected, Privileged role administrators or Global administrators will become 
the default approvers. 


8. Keep the defaults and select Assignment. The assignment settings enable you to con- 
figure various options for active and eligible assignments, as shown in Figure 4-44 and 
explained in Table 4-6. 
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Microsoft Azure P Search resources, services, and docs (G+) [EA] h D å aua oa © 


Home > Default Directory > Role setting details 
rmleged Identity Management | Azure AD roles 


Activation Assignment Notification 
E Atow permanent eligible assignment 


Expire eligible assignments after 


E Allow permanent active assignment 


Expire active assignments after 


E Require justification on active assignment 


Edit role setting - User Administrator 


User Administrator & 


[O Require Azure Multi-Factor Authentication on active assignment 


FIGURE 4-44 Assignment settings for Privileged Identity Management of Azure AD roles. 


IMPORTANT ACTIVEVERSUS ELIGIBLE ASSIGNMENT 


Make sure you have a clear understanding of eligible and active role assignments. Eligible 


assignments require an action to be performed by a user to use a particular role. The action 


might include requesting an approval, performing MFA, or providing a business justifica- 


tion. Active assignments, on the other hand, do not require a user to perform any action to 


use a particular role. 


Table 4-6 provides a summary of assignment settings. 


TABLE 4-6 Assignment settings 


Name 


Allow permanent eligible assignment 


Expire eligible assignment after 


Allow permanent active assignment 


Expire active assignment after 


Require multifactor authentication 


Description 


Globa 
nente 


Globa 
assign 


Globa 
active 


administrators and Privileged role admins can assign perma- 
ligible assignments. 


admins and Privileged role admins can require that all eligible 
ments have a specified start date and end date. 


admins and Privileged role admins can assign permanent 
assignments. 


Globa 
assign 


admins and Privileged role admins can require that all active 
ments have a specified start date and end date. 


This setting enables enforcement of Azure MFA on activation and on 


active 


assignment. 
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9. Select Notification and keep the default settings. 


10. Finally, select Update to save the configuration settings. 


Plan and manage Azure resources in PIM, including settings 
and assignments 
In addition to Azure AD roles, you can also configure Azure resources to be protected with PIM. 
The process of configuring PIM for Azure resources starts with a discovery phase, where you first 
search the resources within an organization and then select them to be protected by PIM. 

To begin the discovery process for Azure resources: 


1. Signin to the Azure portal and navigate to Azure AD Privileged Identity Management. 


2. If this is the first time you are using PIM for Azure resources, the Discover resources 
button will be displayed on the top row, as shown in Figure 4-45. 


Microsoft Azure P Search resources, services, and docs (G+/) aJ & D DEFAULT DIRECTORY S 
Home > Privileged identity Management & 
» Privileged Identity Management| Azure resources 2 = x 
mS privileged Identity Management 
C) Refresh © Discover resources T Activate role 
BL Quick start 
@ Resources are only visible when you have an active role assignment, and they are managed by PIM. Activate roles 4 
Tasks or discover mare resources using the buttons above Leam more about resource access in PIM 
$; My roles 
ote Search by resource name Resource type : Subscription Directory : Default Directory 
E$ My requests Resource Tse Parent resource Resource type Members Role 


Approve requests x 
Discover resources or activate an eligible role assignment to continue 


Š Review access 
Manage 
b Azure AD roles 
& Privileged access groups (Preview) 
3, Arure resources 
Activity 
B My audit history 
Troubleshooting + Support 
X Troubleshoot 


X New support request 


FIGURE 4-45 Discover Azure resources for Privileged Identity Management. 


3. The Discover resources option enables you to bring either an Azure subscription or 
a management group, including its child resources, under PIM management. After 
you identify the resource—for example, the Azure subscription—select the Managed 
resource option. You can also decide to bring all child objects of the selected resource 
under PIM by selecting OK, as shown in Figure 4-46. 
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= z D 7 B =) x 
= Microsoft Azure A Search resources, services, and docs (G+/) J & @ ‘2 A DEFAULT omecrory SP 


Home > Privileged Identity Management & 


Azure resources - Discovery *# x 


Privileged identity Management | A 


_) Refresh th) Manage resource 


Onboarding selected resource for management 


PIM will manage all child objects for the selected resource(s), please confirm to continue 


[ox ao 


@ Visual Studio Ultimate with MSDN Subscription 


FIGURE 4-46 Manage Azure resources for Privileged Identity Management. 


Plan and configure privileged access groups 


You can give workload-specific administrators quick access to multiple roles with a single 
just-in-time request using the privileged access groups. You can assign eligibility for member- 
ship or ownership of privileged access groups in Privileged Identity Management (PIM). This is 
especially useful when working with Azure AD guest accounts. Instead of a single just-in-time 
policy for all privileged role assignments, you can create two separate privileged access groups 
with their own policies. Less stringent requirements can be imposed on employees, while 
stricter requirements, such as approval workflow, can be imposed on guest accounts when 
they request activation into their assigned role. 


PIM allows you to manage the eligibility and activation of privileged access group assign- 
ments in Azure AD. Please refer to the documents available through the links below to learn 
more about privileged access groups configuration using PIM. 


m Privileged access groups will be added to Privileged Identity Management: 
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity- 
management/groups-discover-groups 


m Extend or renew privileged access group assignments (preview) in Privileged Identity 
Management: https://learn.microsoft.com/en-us/azure/active-directory/privileged- 
identity-management/groups-renew-extend 


m Assigning eligibility for a privileged access group in PIM: https://learn.microsoft.com/en-us/ 
azure/active-directory/privileged-identity-management/groups-assign-member-owner 


m Approve activation requests for members of the privileged access group and 
owners: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity- 
management/groups-approval-workflow 


= Activate my privileged access group roles in Privileged Identity Management: 
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity- 
management/groups-activate-roles 


= Configure privileged access group settings (preview) in Privileged Identity 


Management: https://learn.microsoft.com/en-us/azure/active-directory/privileged- 
identity-management/groups-role-settings 
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Analyze PIM audit history and reports 


PIM allows you to access complete audit history when activations and assignments are made 
against roles and resources under the management of PIM. 


PIM also enables you to download the audit history on an ad-hoc basis in a standard CSV 
file for retention purposes. 


Azure AD roles 

To access the audit logs for an Azure AD role: 
1. Signin to the Azure portal and navigate to Azure AD Privileged Identity Management. 
2. Select Azure AD Roles. 


3. Select Resource audit to view the audit history associated with the Azure AD roles, as 
shown in Figure 4-47. By default, the last 24-hour (last day) audit logs are shown, but 
you can change the duration by using the Time span filter to last week, last month, ora 
custom time span. 


3 = F B 

= Microsoft Azure A Search resources, services, and docs (G+/) a & e@ & © -e S 
Home > Privileged Identity Management > Default Directory & 

al Default Directory | Resource audit + x 

Privileged Identity Management | Azure AD roles 
$ export A? Got feedback? 

S> Quick start z = z 

` Search by member name 

Si Overview 

Time span ; Last day Audit type : All Original requestor ; Member Subject type ; All 

Tasks 

Š My roles Time Request... Action Resource name Scope Primary target 
È Pending requests 2/23/2022, 82938 AM Adam Add member to role complete Default Direct Default Directory Global Reader 

tia Approve requests 2/23/2022, &:2938 AM Adam Add member to role requested Default Direct.. Default Directory Global Reader 


& Review access 


Manage 
Z Roles 
a Assignments 
EA Alerts 
Access reviews 
e Discovery and insights (Preview) 


© Settings 
Activity 


E Resource audit 


E My audit 


FIGURE 4-47 Resource audit history for Azure AD roles. 


4. You can also export the audit history in a CSV file format by using the Export option 
located at the top row. The CSV file contains more holistic auditing data about the ac- 
tivities, including items like ticket information, ticket number, reason, etc. 

The My audit option available under the Activity section is like the Resource audit but al- 
lows you to view your personal role activity. 
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Azure roles 


PIM also enables you to view activity and activation history reports for Azure roles. To access 
audit history and reports for the Azure roles: 


1. 
2. 


Sign in to the Azure portal and navigate to Azure AD Privileged Identity Management. 
Select Azure resources and choose the Azure resource—for example, Azure subscrip- 
tion—for which you'd like to explore the audit report. 


The Overview page for Azure resources, as shown in Figure 4-48, showcases a report 
with Admin view and My view tabs, containing critical data including Role activations 
in last 7 days, Role assignment distribution, PIM activities in last 30 days, and 
Roles by assignment. 


A 


Microsoft Azure © Search resources, services, and docs (G+/) Ba 


DEFAULT DIRECTORY GP 


Home > Privileged Identity Management Co] 


sz Visual Studio Ultimate with MSDN | Overview 2 ~ x 


Privileged Identity Management | Azure resources 
Admin view My view 
T Overview 
Tasks Role activations in last 7 days Role assignment distribution 
a My roles 
E Pending requests 


L Approve requests 60 


2 0 
à Maves mous 
Č Review access 5 
Manage 20 
2, Roles 
~*~ N Eligible E Eligible 


Š. Assignments Pree 


User Accent Admministrance 


February 1? Febru 
A Al roion Onnar 
v2 0 0 0 E Time based active assign Wi Time based active assign 


E Permanent active assign. E Permanent active assign 
MS Alerts 


= Access reviews 


® Settings 

Activity PIM Activities in last 30 days Roles by assignment (descending) 

a Resource saul Title Count Role Member 

E My audit = 
Members with new eligible assignments 0 Contributor 2 
Members assigned as active 1 User Access Administrator 1 
Groups with new eligible assignments 0 Owner 1 
Groups assigned as active 0 Security Admin 1 


FIGURE 4-48 Azure resources report with Azure role activation and assignments. 


Select Resource audit under the Activity section, as shown in Figure 4-49, to view the 
audit logs against the Azure resources including Azure role assignments and requests 
for administrative purposes. 
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Microsoft Azure 


A Search resources, services, and docs (G+/) 


DEFAULT DIRECTORY GP 


= Access reviews 


@ Settings 


Activity 
f@ Resource audit 


Home > Privileged Identity Management > Visual Studio Ultimate with MSD 
Visual Studio Ultimate with MSDN | Resource audit 2 x 
Privileged Identity Management | Azure resources 
+ Export Be Got feedback? 
"i Overview 
© Search by member name | 

Tasks Time span : Last day Audit type: All (Original requestor Member ) Subject type : All 
ds My roles 
EL Pending requests Time Requestor Action Resource name Primary target Subject 
M ts 

Approve requests 2/23/2022, 8&2.. Razi Rais Add member to role in PIM completed Visual Studio Uttimat... Security Admin Adam 
Review access 2/23/2022, 62... Razi Rais Add member to role in PIM requested Visual Studio Ultimat.. Security Admin Adam 
Manage 
& Roles 
&. Assignments 
ER Alerts 


E my audit 
FIGURE 4-49 Resource audit for Azure resources. 

5. Togather more insights about the action of a particular user, select Role or Assign- 
ments, and then select a user. The Activity details page, as shown in Figure 4-50, 
provides a resource activity summary associated with the user account. 

Microsoft Azure z ae 
Home > Privieged identity Management > Visual Studio Ultimate with MSDIN co 
Activity details x 
Mi Remove Z Update 
Essentials 
Member name Member email 
Adam Adam@ 
Security Admin Acie 
Assignment start time Assynt end bere 
2/23/2022, 8:23:09 AM 8/22/2022, 9:22:27 AM 
ope 
Directory 
Start date * End date * 
CELA | [Pava 
Resource activity summary 
B coum 
Role activations 
Activation time Acton 
2/29/2022, 829009 AM Add member to role in PIM completed (tienehound) 
FIGURE 4-50 Role assignment activity details for a specific user. 
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PIM also allows you to export a complete list of role assignments, along with all its child 
resources for a particular Azure resource, as shown in Figure 4-51. This is particularly useful 
for compliance reasons since auditors within an organization are often required to capture all 
resource assignments, including the parent resource all the way down to child resources. 


To export the complete list of role assignments: 
1. Signin to the Azure portal and navigate to Azure AD Privileged Identity Management. 
2. Select Azure resources and choose the Azure resource—for example, an Azure 
subscription—for which you would like to explore the audit history. 
3. Select Assignment and then select Export. 
4. The Export membership blade provides you with an option to either export all mem- 


bers, including those under child resources, or export only members under the currently 
selected Azure resource, such as an Azure subscription. 


: i 3 =) y 
Microsoft Azure P Search resources, services, and does (G+/) o & @ & @ & DEFAULT DIRECTORY GP 


Home > Privileged identity Management > Visual Studio Ultimate with M&QN Export membership x 
Visual Studio Ultimate with MSDN | Assignments Pisa entity Mnsgement I Azwre rowers 


Privileged Identity Management | Arure resources 


Export membership information for everyone with role assignments 


+ Add assignments i= Review 3 Settings inside this subscription, 

Œ Overview 
Export members only in this subscription 

Eligible assignments Active assignments 
Tasks A ____ Export membership information for everyone with role assignments 
= My roles P Search by member name or principal name inside this subscription as well as its child resources. (resource 
cm My a o — Ennn groups, resources etc) 
= Rend 2 Name Principal name 
a Fencing requer Export all members 

Contributor 


Approve requests 


P r2-k8s-linux-cluster 
m Review access eekBe-linan-chate 


rvso-r7demo-4d5& 


Manage 
Owner 
2, Roles 
Razi Rais 
&. Assignments 
Security Admin 
EA Alerts 
Adam 


$E Access reviews 
User Access Administrat 
© Settings 
MS-PIM 


Activity 
E Resource audit 


E My audit 


FIGURE 4-51 Export membership information for everyone with a role assignment. 
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Create and manage break-glass accounts 


Break-glass accounts are highly privileged accounts that are intended to be used only under 
emergency situations where regular administrative accounts cannot be used. Emergency situa- 
tions that may warrant the use of break-glass accounts include but are not limited to: 


When an administrator account has lost the ability to perform Azure AD MFA either 
due to network failure or lack of access to the device, which is required to successfully 
perform the MFA. 


For authentication, an administrator account relies on the federated identity provider 
(Idp) that is experiencing an outage and as a result the account cannot complete the 
sign-in operation. 

The last user with Global Administrator permissions is no longer available or is no longer 
a part of the organization. 


To mitigate the risks associated with the lack of administrative access to the Azure AD, 
it is highly recommended that you create at least two or more break-glass emergency 
accounts within the tenant. 


When creating the break-glass accounts, use the following recommendations: 


Use the Azure AD cloud-only account with the .onmicrosoft.com domain. 


Assign Global administrative permissions to the emergency account and make sure the 
assignment is permanent. 


Do not use federated or on-premises synchronized accounts. 
Account credentials should never expire. 
The account should not be associated with an individual user. 


Any device required for accessing the account should be kept in a well-documented 
secure location with multiple communication channels with Azure AD. 


For resiliency purposes, use a different authentication method for each emergency account. 


Exclude at least one emergency account from conditional access policies to ensure its 
access to Azure AD is not blocked due to a misconfigured policy. 


Automate the creation and management of all emergency accounts. 
Continuously monitor activity associated with emergency accounts. Azure Monitor 


provides the capability to generate alerts whenever emergency accounts are used. Also, 
reports can be created to capture the usage of emergency accounts over time. 


Document details about emergency accounts in a clear step-by-step fashion and make 


them available to relevant employees. 


Validate the emergency accounts periodically—at a minimum, every 90 days or sooner. 
Also, validate the accounts whenever there is a significant change in an organization, 
such as when a new employee with administrative privileges joins the team. 
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Skill 4.4: Monitor Azure AD 


Monitoring is a critical aspect of the Azure AD governance process. It also plays a vital role in 
meeting compliance and security requirements of an organization. 


Azure AD sign-in and audit logs contains useful information that provides valuable insights 
into users, applications, and various system directory-level activities. 


Administrators and business stakeholders can use monitoring: 


m To generate reports that provide actionable insights to business and IT operations. For 
example, peak and off-peak hours when a particular Azure AD application is used by the 
users, usage telemetry showing the adoption of SaaS application within an organization, 
number of times in a week a password reset has been performed by the user using the 
self-service password reset (SSPR) feature, etc. 


m To generate custom alert notifications when there is a sudden drop or influx in the 
number of sign-in requests. These types of custom notifications are particularly useful 
for smooth IT operations. 


m To meet organizational compliance requirements that require tracking and reporting of 
administrative operations on an Azure AD tenant. 


m To meet state or local regulatory requirements that require archival of user and admin- 
istrative activities for a specified duration and to provide reporting on these activities. 


This skill covers how to: 
m Design a strategy for monitoring Azure AD 


m Review and analyze sign-in, audit, and provisioning logs by using the Azure Active 
Directory admin center 


= Configure diagnostic settings, including Log Analytics, storage accounts, and 
Event Hub 


= Monitor Azure AD by using Log Analytics, including KQL queries 


m Analyze Azure AD by using workbooks and reporting in the Azure Active Directory 
admin center 


= Monitor and improve the security posture by using the Identity Secure Score 


Skill 4.4: Monitor Azure AD CHA R4 335 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


336 


Design a strategy for monitoring Azure AD 


Legal, security, and operational requirements, as well as existing organizational processes, all 
influence the design of an Azure AD monitoring solution. A successful monitoring strategy is a 
combination of various aspects, some of which are described below. 


Engage the appropriate stakeholders 


Technology projects frequently fail because of misaligned expectations regarding their influence, 
results, and roles. Make sure you're involving the appropriate stakeholders if you want to prevent 
these issues. Documenting the stakeholders, their project input, and their accountability obliga- 
tions will also help to ensure that their responsibilities in the project are fully understood. 


Create a thorough communication plan 


For any new service to be successful, communication is essential. Inform your users in advance 
of any changes that will affect their experience, as well as when and how they can contact you 
for assistance. Because monitoring is a component of many organizations’ broader Security 
Information and Event Management (SIEM) capabilities, it is critical to ensure that any changes 
to processes are clearly documented and communicated to avoid last-minute delays. 


Define Azure AD monitoring capabilities 
Administrators and business stakeholders can use Azure AD monitoring: 
= To generate reports that provide actionable insights to business and IT operations. For 
example, peak and off-peak hours when a particular Azure AD application is used by the 
users, usage telemetry showing the adoption of SaaS application within an organization, 
number of times in a week the password reset has been performed by the user using the 
self-service password reset (SSPR) feature, etc. 


= To generate custom alert notifications when there is sudden drop or influx in the num- 
ber of sign-in requests. These types of custom notifications are particularly useful for 
smooth IT operations. 

= To meet organizational compliance requirements that require tracking and reporting of 
administrative operations on an Azure AD tenant. 

= To meet state or local regulatory requirements that require archival of user and admin- 
istrative activities for a specified duration and to provide reporting on these activities. 


Review and analyze sign-in, audit, and provisioning logs by 
using the Azure AD admin center 


Azure AD sign-in logs provide detailed information about user activities, which can be useful for 
troubleshooting access-related issues. For example, too many sign-in failures from a user may 
indicate a permission-related issue or can be a result of a cyberattack against a user account. 
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Table 4-7 summarizes the subset of fields available within the sign-in log, which are particu- 
larly relevant to troubleshoot access-related issues. 


TABLE 4-7 Azure AD sign-in logs schema (abridged) 


Name 


Time 
CallerlpAddress 
Location 


Identity 


OperationName 
Tenantld 


ResultType 


ResultDescription 


RiskDetail 


RiskEventTypes 


RiskLevelAggregated 


RiskLevelDuringSignin 


RiskState 


Description 

The datetime, in UTC. 

The IP address associated with the client that made the sign-in request. 
The location of the sign-in activity. For example, “US.” 


The identity that was presented during the sign-in request. It can be a user account, 
system account, or service principal—for example, “John Doe.” 


For the user sign-in operation, the value is always “Sign-in activity.” 
This is the GUID that corresponds to the Azure AD tenant's unique identifier. 


The result of the sign-in operation. This is “0” when the result of the sign-in operation 
is a success or contains a detailed error code for failure. See the section on the sign-in 
error codes for more details. 


The description of the error during the sign-in operation. 


The reason associated with the risk behind a specific state of a risky user, sign-in, or 
a risk detection. Possible values include none, adminGeneratedTemporaryPassword, 
userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, 
adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRisk- 
BasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, 
and unknownFutureValue. 


This field requires an Azure AD P2 license; otherwise, the value “hidden” is returned. 


The risk detection types associated with the sign-in. Possible values include 
unlikelyTravel, anonymized|PAddress, malicious|PAddress, unfamiliarFeatures, 
malwarelnfected|PAddress, suspiciousI|PAddress, leakedCredentials, 
investigationsThreatintelligence, generic, and unknownFutureValue. 


This field requires an Azure AD P2 license; otherwise, the value “hidden” is returned. 


The aggregated risk level associate with the user. Possible values include none, low, 
medium, high, and unknownFutureValue. 


This field requires an Azure AD P2 license; otherwise, the value “hidden” is returned. 


The risk level associated with the user sign-in. 
Possible values include none, low, medium, high, hidden, and unknownFutureValue. 
This field requires an Azure AD P2 license; otherwise, the value “hidden” is returned. 


The state of the risk associated with the user sign-in. 


Possible values include none, confirmedSafe, remediated, dismissed, atRisk, 
confirmedCompromised, and unknownFutureValue. 
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Working with real-world PII data during troubleshooting 


zure AD sign-in logs contain Personally Identifiable Information (PII), which 


/ \includes sensitive information about user identity such as unique identifier 
number, IP address, location, etc. Handling PII carefully is critical to avoid legal and 
regulatory fines that may be imposed if data is shared broadly without proper user 
consent. For example, an IT administrator working for a financial services company, 
Contoso, may want to download the sign-in logs and share them for troubleshoot- 
ing purposes with an IT support engineer who is working for a contract company, 
Fabrikam. By default, data in sign-in logs are not redacted or even encrypted, which 
may lead to data leakage. This is why when working with logs that contain PII data, it 
is critical to first review organizational guidelines regarding the sharing of logs witha 
broader audience, even for troubleshooting purposes. It is highly recommended that 
you always ask users for their consent before reading their PII data. Also, redacting 
PII attributes from the logs, which may not be required during troubleshooting, is 
generally a good idea since it prevents accidental data breaches. You can read more 
about working with personal data in logs at https://docs.microsoft.com/en-us/azure/ 
azure-monitor/logs/personal-data-mgmt. 


To gain access to the sign-in logs using the Azure portal, sign in to the portal with a user 
account with Global administrator permissions or with one of the following permissions: 


m Security administrator 
m Security reader 
m Global reader 


m Reports reader 


IMPORTANT ACCESSING YOUR SIGN-IN ACTIVITY 


Individual users can always access their own sign-in activity by navigating to the link 
https://mysignins.microsoft.com. 


To access sign-in logs: 
1. Sign in to the Azure portal and navigate to Azure Active Directory. 


The sign-in logs are available under the Monitoring section of the Azure AD blade, as 
shown in Figure 4-52. 


Monitoring 


D Sign-in logs 


FIGURE 4-52 
Azure AD sign-in logs. 
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2. The Activity Details: Sign-ins blade appears when you select a particular sign-in 
activity, as shown in Figure 4-53. This blade contains sign-in information for a particular 
sign-in event in a tabular format. 


i r > G & T z 
Microsoft Azure & Search resources, services, and docs (G+/) S a DEFAULT DIRECTORY GP 


Home > Default Directs Activity Details: Sign-ins S x 
5) Default Di 


Azure Active Directot 
Basicinfo Location Device info Authentication Details Conditional Access Report-only Additional Details 


Date 2/23/2022, 8:28:36 AM 
D Mobility (MDM and N 
Request ID 7661f8Sb-f687-4168-bic4-83a7d14af300 
Password reset 
Correlation ID Teel2dbd-eael-47¢7-9044-Se0# 1075637 


Iil Company branding 


` , Authentication requirement Single-factor authentication 
Æ User settings 


fe Status Success 

I! Properties 

Continuous access evaluation No 

@ Security 
Monitoring Follow these steps: 

3 -i Launch the Sign-in Diagnostic. 

Sign-in logs Troubleshoot Event 1 h the Sig Diag 

E Audit logs 2. Review the diagnosis and act on suggested fixes. 
a Provisioning logs User hai 
® Log Analytics Username adam® 
& Diagnostic settings User ID 
@ Workbooks Sign-in identifier adam® 
fia] Usage & insights User type Member 

% Bulk operation results Cross tenant access type None 
Troubleshooting + Suppe Application Azure Portal 
SÆ virtual assistant (Previ Application 1D ¢44b4083-3bb0-49¢1-b47d-974e53chdf3e 
2 New support request Resource Windows Azure Service Management API 


FIGURE 4-53 Activity details for a user sign-in. 


IMPORTANT AZURE AD PREMIUM LICENSE 


Azure AD licensing plays an important role when it comes to the level of detail available 
within sign-in logs. For example, an Azure AD Premium P2 license is required to log infor- 
mation related to Azure Identity Protection features such as the risk associated with a par- 
ticular sign-in operation. In the absence of an Azure AD P2 license, the sign-in log may only 
provide generic values labeled “hidden” instead of actual risk details such as the risk level or 


risk detection type of a particular sign-in. 


Skill 4.4: Monitor Azure AD CHAPTER 4 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


339 


Analyzing error codes for troubleshooting 

When a sign-in event results in a failure, Azure AD logs the relevant details in the sign-in logs, 
including an error code along with a failure reason. Figure 4-54 shows the Sign-in error code 
and the Failure reason due to unsuccessful user sign-in. Also, notice the Additional Details 


property, which provides further information about the failure. 


m y o 
Microsoft Azure c 8c os WM s 


Home > Defaut Directe Activity Details: Sign-ins x 
d Default Di 


Azure Active Director 
Basic info Location Device info Authentication Details Conditional Access Report-only Additional Details 


EJ Custom security attrik Date 2/5/2022, 7:23:05 AM 
(Preview) 
Request ID 760ef1¢7-dd5f-4922-889b-01d99180c800 
& Licenses 
Correlation ID be7478eb-a45¢-4995-B517-688e819bc401 


> Arure AD Connect 
Authentication requirement — Single-factor authentication 
b= Custom domain name 
Status Failure 
D Mobility (MDM and N 
Continuous access evaluation No 
Password reset 
Sign-in error code 50126 
Ji Company branding 
Failure reason Error validating credentials due to invalid username or password 
Æ User settings 


TI t didn't enter the right credentials. It's expected to see some number of these errors in your | 
Additional Details he user didn't enter the right credenti 's expected to see some number of these errors in your logs 


Il! Properties due to users making mistakes. 
@ Security 
Follow these steps 
Monitorin: 
0 Troubleshoot Event 1, Launch the Sign-in Diagnostic 
D Sign-in logs 2. Review the diagnosis and act on suggested fixes 
E Audit logs 
User Bob Smith 
a Provisioning logs 
Username bob® 
a Log Analytics 
User 10 48a6S2be-643c-4be0-b7ca-a42264d05{c4 
E Diagnostic settings 
Sign-in identifier bob@demo1234.contosobank co.uk 
@ Workbooks 
, User type Member 
fia Usage & insights 
Cross tenant access type None 


FIGURE 4-54 Sign-in failure error code and description. 


IMPORTANT ERROR CODES LOOKUP 


Microsoft provides an online error code lookup tool that provides a list of possible reme- 
diation steps if they are available against a particular error code. You can access this tool by 
visiting the link https://login.microsoftonline.com/error. 


Review and monitor Azure AD audit logs 


Organizations can use the Azure AD audit logs to track and monitor system activities across the 
Azure AD tenant for compliance and regularity reasons. Audit logs track activities on various 
objects including users, groups, applications, and others. Table 4-8 summarizes the most com- 
mon activities against different Azure AD objects found in the audit logs. 
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TABLE 4-8 Summary of activities tracked in the Azure AD audit logs 


Azure AD Object | Activity 

User All create, update, and delete operations on the user object. 
Administrative actions including but not limited to resetting of users’ passwords, license 
assignments, etc. 

Group All create, update, and delete operations on the group object. 
Administrative actions including but not limited to adding/removing users from/to the 
group, changing group ownership, assigning licenses to groups, etc. 

Application All create, update, and delete operations on the application object. 

Other Various Azure AD features log activities related to create, read, update, delete (CRUD) 


operations in the audit log. For example, when Azure AD conditional access policies are 
created, updated, or deleted, details about such activity will be available in the audit log 
for compliance. 


To access Azure AD audit logs: 
1. Sign in to the Azure portal and navigate to Azure Active Directory. 


2. Select Audit logs, as shown in Figure 4-55. 


FIGURE 4-55 Azure AD audit logs. 
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EELT Mam © Search resources, services, and docs (G+/) ag @s oO FR — D 

Home > Default Directory > 

=| Default Directory | Audit logs ~ x 

Azure Active Directory 

s + Export Data Settings Č) Refresh == Columns &? Got feedback? 

ea Licenses 

> Azure AD Connect Date : Last 1 month ‘Show dates as : Local Service : All Category : All Activity : All 
b! Custom domain names hi Add filters 

D Mobility (MDM and MAM) Date ii Saree Category ty Activity ti tatu 

Password reset 1/31/2022, 14554 PM Core Directory Agreement Add agreement Success 

M Company branding 2/5/2022, 12:45:10 PM. Conditional Access Policy Add conditional acce.. Success 
BD User settings 2/5/2022, 7:15:46 AM Conditional Access Policy Add conditional acce... Success 

Ii] Properties 2/5/2022, T0737 AM Core Directory GroupManagement Add group Success 

© security 2/5/2022, 12:1926 PM Core Directory GroupManagement Add group Success 
Monitoring 2/5/2022, 12:19:29 PM Core Directory GroupManagement Add member to group Success 

D Sign-in logs 2/5/2022, 7.0739 AM Core Directory GroupManagement Add member to group Success 
E Audit logs 2/23/2022, &2938 AM Core Directory RoleManagement Add member to role Success 
M Provisioning logs 2/23/2022, 82938 AM PIM RoleManagement Add member to role... Success 

P Log Analytics 2/23/2022, 82309 AM PIM ResourceManagement Add member to role... Success 

E Diagnostic settings 2/23/2022, 8:23:07 AM PIM ResourceManagement Add member to role... Success 
@ Workbooks 2/23/2022, 82938 AM PIM RoleManagement Add member to role... Success 
fi Usage & insights 2/5/2022, 7:07:39 AM Core Directory GroupManagement Add owner to group Success 

i Bulk operation results (Preview) 2/8/2022, 12:45:10 PM Core Directory Policy Add policy Success 
Troublest ing + Support 2/5/2022, 7:15:46 AM Core Directory Policy Add policy Success 
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3. The Audit Log Details blade, as shown in Figure 4-56, appears when you select a 
particular audit log entry. This blade contains comprehensive details about the activity 
performed on a particular Azure AD object. 


Microsoft Azure P Search resources, services, and docs (G+/) 


o 
DEFAULT DIRECTORY “EP 


Home > Default Directs Audit Log Details ® x 
fq) Default Di 
Azure Active Director 
Activity Target(s) Modified Properties 
ee ucenses Activity 
b Azure AD Connect 
© Custom domain nam Date 1/31/2022, 1:45 PM 
D Mobility(MDMandN Activity Type Add agreement 
Password reset 
Correlation ID 82fa9932-1bec-4e13-a493-eaaf32826704 
Hl Company branding 
Can t 
Æ User settings FESR acii 
Il! Properties Status success 
@ Securit 
y Status reason 
Monitoring 
User Agent 
D Sign-in logs 
Initiated by (actor, Additional Details 
ld Audit logs y (actor) 
KA 
É Provisioning logs Type Application 
w Log Analytics 
Display Name AAD Terms Of Use 
E Diagnostic settings 
@ Workbooks App ID 
fil Usage & insights Service principal 10 8e85224f-déea-deBb-9fB0-76fad686889d 
& Bulk operation results 
Service principal name 
Troubleshooting + Suppe 


FIGURE 4-56 Audit log entry showing a detailed log with an Activity Type of Add agreement. 


At times, you might want to filter the activities in the audit log based on datetime span, 
category, etc. Table 4-9 summarizes the commonly used filtering options available for audit 
logs activities. 
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TABLE 4-9 Commonly used filtering options for Azure AD audit logs 


Filter type 


Category 


Service 


Date 


Status 


Filter target 


All 

AdministrativeUnit 
Agreement 
ApplicationManagement 
AttributeManagement 
Authentication 
Authorization 
AuthorizationPolicy 
CertificateBasedAuthConfiguration 
Contact 
CrossTenantAccessSettings 
Device 
DeviceConfiguration 
DeviceManagement 
DeviceTemplate 
DirectoryManagement 
EntitlementManagement 


All 

AAD Management UX 
Access Reviews 

Account Provisioning 
Application Proxy 
Authentication Methods 
Azure AD Recommendations 
Azure MFA 

B2C 

Conditional Access 

Core Directory 

Device Registration Service 


Administrative actions including but not limited to adding/removing users from/to the group, 


ExternalUserProfile 
GroupManagement 
IdentityProtection 
KerberosDomain 
KeyManagement 

Label 

Other 
PendingExternalUserProfile 
PermissionGrantPolicy 
Policy 

PolicyManagement 
PrivateEndpoint 
PrivateLinkResource 
ProvisioningManagement 
ResourceManagement 
RoleManagement 
UserManagement 


Entitlement Management 
Hybrid Authentication 

Identity Protection 

Invited Users 

MIM Service 

Mobility Management 

My Apps 

PIM 

Self-Service Group Management 
Self-Service Password Management 
Terms of Use 


changing group ownership, assigning licenses to groups, etc. 


Last 1 month 

Last 7 days 

Last 24 hours 
Custom time interval 


All 
Success 
Failure 
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Audit logs download 

To download the Azure AD audit logs: 
1. Sign in to the Azure portal and navigate to Azure Active Directory. 
2. Select Audit logs. 


3. Select Download from the top row. This allows you to save the logs in CSV or JSON 
format, as shown in Figure 4-57. 


Microsoft Azure A Search resources, services, and docs (G+/) a 


v 
DEFAULT DIRECTORY SP 


Home > Default Directory Downldad Audit Logs x 


=| Default Directory | Audit logs 


Azure Active Directory 


+ Download © Expt A You can dawnload up to 250,000 records. If you want to dawnload more, use reporting APIs. 


w ucenses Click here to learn more. 


~ 


Azure AD Connect 
b- Custom dom mi A 
= en Status: Al X = Ta. @ Your download will be based on the filter selections you have made. 
P Mobility (MDM and MAM) 
Password reset Format 
1/31/2022, 14554PM ¢ ($) csv O JSON 


Il Company branding 
2/5/2022, 124510 PM t 


n File Name 
& User settings 
2/5/2022, 7:15:46 AM ¢ | AuditLogs 2022-02-26 
Il! Properties = 
@ Security 
2/5/2022, 12:1926 PM ¢ 
Monitoring 2/5/2022, 12:19:29 PM ¢ 
D Sign-in logs 2/5/2022, 70739AM ¢ 
E Audit logs 2/23/2022, &2938 AM ¢ 
M Provisioning logs 2/23/2022, 82938 AM f 
w Log Analytics 2/23/2022, 82309 AM f 
E Diagnostic settings 2/23/2022, 623.07 AM F 
@ workbooks 2/23/2022, 82938 AM f 
fi) Usage & insights 2/3/2022, TO739AM t 
J, Bulk operation results (Preview) 2/5/2022, 12:4510 PM ¢ 
Troubleshooting + Support 2/5/2022, T1546 AM ¢ 


FIGURE 4-57 Download Azure AD audit logs. 


Audit logs retention 


The audit logs retention period depends on the Azure AD license. For the Azure AD Free 
license, the retention period is 7 days, while for Azure AD Premium P1 and P2 licenses, the 
retention duration is 30 days. If your scenario requires you to retain the audit logs for a longer 
duration, Azure Monitor can be used to push the audit logs to different Azure services includ- 
ing Log Analytics, Azure Storage, or Azure Event Hub. Each of these services enables you to 
persist logs for an extended duration based on your needs. 
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Configure diagnostic settings, including Log Analytics, 
storage accounts, and Event Hub 


Tracking activity within the Azure AD tenant, such as sign-in attempts and other administra- 
tive operations on the tenant, is a routine task for an IT team. The information required to track 
activities throughout the Azure AD tenant is available in the diagnostic logs for Azure AD. 


Azure AD provides a variety of diagnostic logs that can be ingested into various Azure ser- 
vices or third-party/partner solutions. Review Table 4-10, which lists various Azure AD diagnos- 
tics logs. 


TABLE 4-10 Azure AD diagnostic logs 


Log Description 

Sign-in This log contains information about interactive user sign-ins to Azure AD. 
Non-interactive sign-in | This log contains information about non-interactive user sign-ins to Azure AD. This 
(PREVIEW) includes sign-ins performed by a client on behalf of a user without any interaction 


from the user. 


Service principal sign-in | This log contains information about sign-ins by Azure resources that use secrets 


(PREVIEW) managed by Azure to authenticate against Azure AD. 

Provisioning logs This log contains information about users, groups, and roles provisioned by the 
(PREVIEW) Azure AD provisioning service. 

Audit Logs This log contains information about system activities related to the management of 


users, groups, applications, and other directory objects. 


License requirements 

An Azure Active Directory Premium P1 or P2 license is required for ingesting sign-in logs. Any 
other Azure AD license, including Azure AD Free, is sufficient to ingest other types of Azure AD 
diagnostic logs. 


IMPORTANT COST ASSOCIATED WITH LOGS INGESTION 

When configuring Azure AD diagnostics logs for ingestion, keep in mind the cost associa- 
tion with data ingestion on Azure Monitor. It is highly recommended that you estimate the 
overall cost before starting the logs ingestion. For more information on this topic, refer to 
this document: https://learn.microsoft.com/en-us/azure/azure-monitor/usage-estimated-costs. 
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The Diagnostic settings option for Azure AD is shown in Figure 4-58, while Azure services 
that can ingest the diagnostic logs are shown in Figure 4-59. Please see the links below for 
step-by-step instructions on configuring diagnostic logs ingestion to Log Analytics, Azure 
Storage accounts, and Azure Event Hub. 


m Log Analytics: https://learn.microsoft.com/en-us/azure/active-directory/reports-moni- 
toring/howto-integrate-activity-logs-with-log-analytics 

= Azure Storage account: https://learn.microsoft.com/en-us/azure/active-directory/ 
reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account 


= Azure Event Hub: https://learn.microsoft.com/en-us/azure/active-directory/reports- 
monitoring/tutorial-azure-monitor-stream-logs-to-event-hub 


Microsoft Azure © Search resources, services, and docs (G+/) 


Home > Default Directory 


Default Directory | Diagnostic settings 2 x 


Azure Active Directory 


C) Refresh Æ Feedback 


Diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice. You 


n 
Uconses may create up to five different diagnostic settings to send different logs and metrics to independent destinations. Learn more sbout diagnostic 


E. 


b Azure AD Connect settings 


¥*) Custom domain names Diagnostic settings 


D Mobility (MOM and MAM) Name Storage account Event hub Log Analytics works... Partner solution Edit setting 
Password reset Ntog d z aad-logs = Edit setting 
Æ User settings + Add diegnostic setting 
k 
JI] Properties Click ‘Add Diagnostic setting’ above to configure the collection of the following data 
@ Security . Auditlogs 
© Signinlogs 
* NoninteractiveUserSigninLogs 
Monnorie © ServicePrincipalSigninLogs 
* ManagedidentitySigninLogs 
D Sign 
D Sigmin bogs * ProvisioningLogs 
E Audit logs © ADFSSigninLogs 
© RiskyUsers 
Å Provisioning logs © UserRtisktvents 
© NetworkAccessTratficlogs 
w® Log Analytics © RiskyServicePrincipals 
© ServicePrincipaiRiskEvents 
Diagnostic settings 
@ Workbooks 


td Usage & insights 

4, Bulk operation results (Preview) 
Troubleshooting + Support 
Virtual assistant (Preview) 


È New support request 


FIGURE 4-58 Azure Active Directory Diagnostic settings. 
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Q 


= maeot Ann ne Se 


Home > Default Directory | Diagnostic settings 


Diagnostic setting x 
X Discard & Feedback 
Diagnostic setting name * Contoso DiagnosticLogs 
Logs Destination details 
Categories 
Send to Log Analytics workspace 
AuditLogs 


Archive to a storage account 


Signinlogs 


Stream to an event hub 


C NoninteractiveUsersigninLogs 


Send to partner solution 


ServicePrincipalSigninLogs 


ManagedidentitySigninLogs 


ProvisioningLogs 


(J Abéssignintogs 


RiskyUsers 


UserfuskE vents, 


NetworkAccessTrafficLogs 


[O RiskyServicePrincipals 


[7] ServicePrincipalRiskEvents 


FIGURE 4-59 Azure Active Directory Diagnostic setting logs and destinations. 


EXAM TIP 


When preparing for the exam, pay attention to the fact that Azure AD activity logs may have 
different retention periods, even when the same Azure AD license is used. To get up-to-date 
retention duration for the logs, visit https://docs.microsoft.com/en-us/azure/active-directo- 
ry/reports-monitoring/reference-reports-data-retention. 


Export sign-in and audit logs to a third-party SIEM 


Azure AD diagnostic logs, including sign-in and audit logs, can be routed to third-party SIEM 
tools and services. Azure supports sending the logs to Azure Event Hub by using Azure Moni- 
tor, and the logs are then read by SIEM tools for further processing. Table 4-11 summarizes some 
third-party SIEM tools that can access the sign-in and audit logs through Azure Event Hub. 
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TABLE 4-11 Third-party SIEM tools 


Tool description 


Splunk Splunk provides a range of security features including SIEM and SOAR capabilities. For more 
details, please review https://docs.microsoft.com/en-us/azure/active-directory/reports- 
monitoring/howto-integrate-activity-logs-with-splunk. 


ArcSight ArcSight is a SIEM tool that enables detection and response for a range of security threats. For 
more details, please review https://docs.microsoft.com/en-us/azure/active-directory/reports- 
monitoring/howto-integrate-activity-logs-with-arcsight. 


Sumo Logic | Sumo Logic provides visual dashboards and real-time analysis of data. It can also be used to 
conduct real-time forensics and log management. For more details, please review https://docs. 
microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs- 
with-sumologic. 


If your scenario requires working with a third-party SIEM tool, which may not have native 
capability to read data from Azure Event Hub, then building a custom connector using Event 
Hubs API might provide a better solution. 


NEED MORE REVIEW? AZURE EVENT HUB API 


Read more about Azure Event Hub API at https://docs.microsoft.com/en-us/rest/api/eventhub/ 


Monitor Azure AD by using Log Analytics, including 
KQL queries 
Log Analytics enables you to monitor and review a range of Azure AD activities based on vari- 
ous diagnostics logs using workbooks and Kusto Query Language (KQL) queries. 
Commonly used workbook use-cases include: 


= Get shareable, at-a-glance summary reports about your Azure AD tenant, as well as the 
ability to create your own custom reports. 

m Find and diagnose sign-in failures, as well as see a trending picture of your organiza- 
tion's sign-in health. 

m Ina flexible, customizable format, monitor Azure AD logs for sign-ins, tenant adminis- 
trator actions, provisioning, and risk. 

m Keep an eye on trends in your tenant's use of Azure AD features like conditional access, 
self-service password reset, and others. 
m Understand who is using legacy authentication to access your environment. 
m Understand the impact of your conditional access policies on the sign-in experience 


of your users. 


For more information on Azure AD monitoring with Log Analytics, visit 
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/ 
how-to-use-azure-monitor-workbooks. 
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Permission requirements 


You must have access to the underlying Log Analytics workspace and be assigned to one of the 
following roles to access workbooks in Azure Active Directory: 


Global Reader 

Reports Reader 

Security Reader 

Application Administrator 

Cloud Application Administrator 
Company Administrator 


Security Administrator 


Logs Schema 


Log Analytics can use a variety of logs provided by Azure AD. The list of commonly used Azure 
AD diagnostic logs, along with their schema definitions, is provided below. 


AuditLog: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/ 
auditlogs 

SignInLogs: hittps://learn.microsoft.com/en-us/azure/active-directory/reports- 
monitoring/reference-azure-monitor-sign-ins-log-schema#field-descriptions 
NonInteractiveUserSignInLogs: https:///earn.microsoft.com/en-us/azure/azure- 
monitor/reference/tables/aadnoninteractiveusersigninlogs 
ServicePrincipalSignInLogs: https://learn.microsoft.com/en-us/azure/azure-monitor/ 
reference/tables/aadserviceprincipalsigninlogs 

ManagedidentitySignInLogs: https://learn.microsoft.com/en-us/azure/azure-monitor/ 
reference/tables/aadmanagedidentitysigninlogs 

ProvisioningLogs: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/ 
tables/aadprovisioninglogs 

ADFSSignInLogs: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/ 
tables/adfssigninlogs 

RiskyUsers: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/ 


aadriskyusers 


UserRiskEvents: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/ 
tables/aaduserriskevents 


Log Analytics displays Azure AD logs as tables, as shown in Figure 4-60, with the Audit logs 
table selected. Figure 4-61 shows the Audit logs table's fields and the data types associated 
with them. 
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Microsoft Azure 
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+ Microsoft Sentinel 
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+ Security and Audit 


Microsoft Azure 
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Password reset 
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fil Usage & Insights 


S Bulk operation results (Preview) 


Troubleshooting + Support 
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B New support request 


P New Query 1* 
aad-logs 


Tables Queries 


P Search 


Y Alter) |S Group by: Solution v 


Collapse alt 


P New Query 2 x| + 


E Seve u? Shore 


14 hours 
1 Type your query here or click one of 
the queries to start 


SHS AuditLogs + 


«> Use in editor 


Description 
Audit log for Azure Active Directory. Includes system activity information about 
user and group management managed applications and directory activities. 


Tags ~ 


AP Search resources, services, and docs (G+/) 


P New Query 2 lt ha 


Select scope « 14 hours 


E Save Share ++ New alert rule 


1 Type your query here click one of the 


queries to start 


or 


a| AuditLogs “ = 


t AADOperationType (string) 
t AADTenantid (string) 


© ActivityDateTime (datetime) 


t ActivityDisplayName (string) 


0 AdditionalDetails (dynamic) 
t Category (string) 

t Correlationid (string) 

# DurationMs (long) 

t Id (string) 

t Identity (string) 
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Queries History 2 @ 
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Of type a query in the query editor. 


FIGURE 4-61 Azure AD Audit logs fields along with data types. 
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Working with KQL Queries 


The Kusto Query Language (KQL) allows you to explore data and identify useful patterns and 

anomalies, as well as perform basic and advanced statistical analysis. KQL queries use schema 
entities organized in a hierarchy, like SQL databases, tables, and columns, making them easier 
to learn. 


The majority of KQL queries are driven by scenarios. For example, the KQL query shown in 
Figure 4-62 will return the top ten Azure AD applications used in the last 14 days. 


Microsoft Azure P Search resources, services, and docs (G+/) a] 


P New Query 1* + © Feedback 85 Queries mv 
Demo D Run Time range : Set in query & Save W Share w -~ New alert rule 
» 1 SigninLogs 
2 | where CreatedDateTime >= ago(14d) 
3 | summarize signInCount = count() by AppDisplayName = 
4 | order by signInCount desc 
5 


bi 
R 
Results Chart pP 
AppDisplayName signinCount w 
2 > Microsoft Azure Active Directory Connect 5,383 E 2 
g > Microsoft 365 Security and Compliance Center 4,189 è 
4 > Azure Portal 3,967 
1 >) Office365 Shell WCSS-Client 1,568 
EY > WindowsOefenderATP 1,319 
> Azure Advanced Threat Protection 1,079 
> Azure AD Identity Governance - Entitlement Management 772 
>  a8-console-biob-storage-app - MS 579 
> Microsoft fxcnange Online Protection 398 
Os 708ms Query details 1-9o0f100 


FIGURE 4-62 KQL query to list the top ten Azure AD applications used in the last 14 days. 


Another useful KQL query is shown in Figure 4-63, which displays a chart of successful sign- 
ins per city during the last 24 hours. 
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Region 
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S 
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a 
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» SecurityCenterFree @ Total 
> Service Map 


Os 428ms Query details 148 records 
> SQL Advanced Threat Pr... 


FIGURE 4-63 KQL query displaying a graph of successful sign-ins by city in the last 24 hours. 


Please use the links below to learn more about KQL queries and their usage to monitor 
Azure AD. 


= Monitoring Azure AD applications sign-in health for resilience using KQL: 
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/monitor-sign-in- 
health-for-resilience#kusto-query-for-increase-in-failure-rate 


= Sample for KQL queries: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/ 
query/samples?pivots=azuremonitor 


= KQL query best practices: https://learn.microsoft.com/en-us/azure/data-explorer/ 
kusto/query/best-practices 


Analyze Azure AD by using workbooks and reporting in the 
Azure Active Directory admin center 


Azure AD usage and insights reports provide useful information about application-related 
sign-in activity with a focus on: 


= Azure AD Application Activity (Preview): This dashboard helps you analyze various 
application usage patterns including most-used applications, successful and failed sign- 
ins, and success rate of sign-ins. 
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m Authentication methods activity: Provides insights about various authentication 
methods that are registered within an Azure AD tenant and how they're being used. 


= AD FS application activity: This report provides details about applications using AD FS 
and may be a potential candidate for migration to Azure AD. 


Permission requirements 
A user must be in the one of the following roles to view usage and insights reports: 


m Global administrator 


Security administrator 
m Security reader, 
m Report reader 
To view the usage and insights: 
1. Sign in to the Azure portal and select Azure Active Directory. 


2. Select Usage & insights, as shown in Figure 4-64. 


Fi > 3 
Microsoft Azure AP Search resources, services, and docs (G+/) BI DEFAULT DIRECTORY GP 
Home S 
O Default Directory | Overview x 
Azure Active Directory 
+ add ~ © Managetenants [3] Whars new FS Preview features BP Got feedback? v 
D Mobility (MDM and MAM) 
License Azure AD Premium P? 
Password reset 
ll Company branding Users 
D User settings Groups 
m 
mepeves Applications 
@ Security 
Devices 
Monitoring 
Alerts 
D sign-in logs 
Audit logs 
Upcoming TLS 1.0, 1.1 and 3DES deprecation 
Bia Provisioning logs A Please enable support for TLS 1.2 on 
2 chents(applications/platform) to avoid any service 
® Log Analytics impact 


D 


Diagnostic settings 


x 


Workbooks 

fi] Usage & insights My feed 
A Buik operation results (Preview) 

Troubleshooting + Support a 

S Virtual assistant (Preview) 


2 New support request 


FIGURE 4-64 Azure Active Directory Usage & insights. 


3. From the list of application activity reports, select Azure AD application activity 
(Preview), as shown in Figure 4-65. This report provides details about sign-in activities 
against various Enterprise applications within Azure AD. 
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à J & >: @ 
Microsoft Azure P Search resources, services, and docs (G+/) t ty kd Y i DEFAULT DIRECTORY 


Home > Default Directory ® 
Q Usage & insights | Azure AD application activity (Preview) ~ x 
Delault Directory 
+ Download C) Refresh | A? Got feedback? 
Usage & insights 
Q, Azure AD application activity a 
(Preview) These are your most active applications. See which ones have a low sign in success rate. 
% ADFS application activity 
áń Authentication methods activity ons it 
| 30 days {v 
| 2 Search by application name or object 10 
Application name Successful sign-it; Failed sign-ins ty Successrate t4 
Azure Portal 35 1 97.22% View sign in activity 
|v | My Profile 3 0 100.00% View sign in activity 
=] My Access 2 (J 100.00% View sign in activity 
1] Microsoft App... 2 0 100.00% View sign in activity 


FIGURE 4-65 List of Usage & insights reports. 


4. Select View sign-in activity for Azure portal to navigate to the Usage & insights 
dashboard, as shown in Figure 4-66. 


F J B í 8 O0 ğ 
Microsoft Azure A Search resources, services, and docs (G+/) BJ & @ D } DEFAULT DikecTORY @D 


Home > Default Directory > Usage & insights & 


Usage & insights - Azure Portal ~ x 


FP Got feedback? 


Date 
Y Review inactive users 


wa Start a new access review 


Sign-in activity 


oN 


Febé Feb 13 Feb 20 Feb 27 


34 IT 


Sign-in failures 


Error Error code Oceurences Last seen 


Error validating credentials due to invalidu.. 50126 1 2/4/2022 


FIGURE 4-66 Usage & insights dashboard for Azure portal. 
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Close the dashboard and select Authentication method activity to view the dash- 
board, as shown in Figure 4-67, which provides telemetry related to registration and 


usage of various authentication methods. 


Microsoft Azure A Search resources, services, and docs (G+/) 
Home > Default Directory > Usage & insights > Authentication methods $9 


jj Authentication methods | Activity 


Default Directory - Azure AD Security 


P Search (Cmd+ 
| Sh ili Registration Usage 


Manage 
D Policies 
Users capable of Azure multi-factor 
Password protection authentication 
& Registration campaign 
2 of 10 total 
Monitoring 
sn 
aa Activity 


E User registration details 


@ Registration and reset events 


% Bulk operation results Users capable of self-service password 
reset 
0 of 10 total 
© 100% of your organization isn't 
enabled. 


Users registered by authentication method 


Atminas aii SZ Onami Diinan 


DEFAULT DIRECTORY “GP 


Users capable of passwordiess 
authentication 


0 of 10 total 


0% of your organization isn't 


Recent registrations by authentication method 


Atmane aii 


FIGURE 4-67 Usage & insights dashboard for Authentication methods. 
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Configure notifications 


Email notifications can be configured for Azure Active Directory managed domains, which will 
send alerts whenever health-related issues are detected. Follow the steps below to configure 
email notifications: 


1. Sign in to the Azure portal and select Azure Active Domain Services. 
2. Select the managed domain—for example, identity.contoso.com. 
3. Select the Notification settings located under the Settings pane. 


4. You can add or remove existing email recipients, as shown in Figure 4-68. 


Microsoft azure 18 2600 9 REE s 
Home > Azure AD Domain Services $ 
() Sees | Notification settings x 


Azure AD Domain Services 


Search (Cmd+/) 


© Overview Choase who should get email alerts far issues affecting this managed domain 
E Activity log [7] All Global Administrators of the Azure AD directory 
Pa Access control (AM) [Z] Members of the AAD DC Administrators group. 
@ Toss Send email alerts to; 
Settings notify@contoso.com 
II! Properties suppor@contoso.com 
E Secure LDAP ‘Add another email to be contacted at 
© Synchronization 
b Replica sets 
& Health 
Q Notification settings 
sku 
Security settings 
By Locks 
Monitoring 


@ Diagnostic settings 
®? Logs 


@ Workbooks 


FIGURE 4-68 Notification settings for Azure AD Domain Services. 


In addition to configuring individual email addresses, you can also select an option to send 
email notifications to all members of Global Administrators and AAD DC Administrators. 


NOTE MAXIMUM NUMBER OF EMAIL ADDRESSES 


Azure AD DS allows up to five individual email addresses to be added for email notifications. 
Also, when AD DS sends a notification, it will cap it up to the total of 100 email addresses, 
including the email addresses of members within Global Administrators and AAD DC Ad- 
ministrators group. 
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Monitor and improve the security posture by using the 
Identity Secure Score 


The Identity Secure Score, as shown in Figure 4-69, allows you to objectively assess the identity 
security posture of an Azure AD tenant, plan security improvements, and finally assess the suc- 
cess of those improvements. The Identity Secure Score is a percentage that indicates how well 
an Azure AD tenant configuration is aligned with Microsoft's best practice security recommen- 
dations. Each Identity Secure Score improvement action is tailored to a specific configuration 
within the Azure AD tenant. 


Microsoft Azure © Search resources, services, and docs (G+/) 


Home Contoso | Security Secunty 


» Security | Identity Secure Score x 


Search ) Learn more R” Got teedback? 


f Getting started 
Microsoft Secure Score for Identity is a representation of your organization's security posture and your opportunity to improve it Learn more. 
Protect r 
Secure Score for Identity Comparison 


= Conditional Access 


P 16.18% = = 
identity Protechon i 
anaty Protacio T ; O = 


© Security Center Typical 1-100 person company 5700% 
Last updated 10/14/2022, 8:00.00 PM —— ST 


View your Microsott Secure Sco 
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Manage 


Score history 
P identity Secure Score 30days 60days 90days 
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b Authentication methods 
@ Multifactor authentication 
© Certificate authorities nerd ù — r v 
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Da Risky users 
D Ri E identi revi 
D Risky workload identities (preview) Improvement actions $ 
D Risky sign-ins + Download == Columns 
A Risk detections Name 1, Score impact 74 User impact Ty implementation Cost t4 
Troubleshooting + Support Use least privileged administrati 179% Low low 


2B New support request Protect all users with a user risk 12 50% Moderate Moderate 


Designate more than one global. 1.79% Low Low 


FIGURE 4-69 Identity Secure Score. 


Azure examines the security settings for the Azure AD tenant every 48 hours and compares 
them to the advised best practices. A new score is determined for the Azure AD tenant based 
on the results of this assessment. You can also choose the recommended improvement action 
and then act on it. Figure 4-70 shows the improvement action “Use least privileged administra- 
tive roles,” and the status dropdown displays the most recent status of the improvement ac- 
tion. To learn more about improvement actions please visit https://learn.microsoft.com/en-us/ 
azure/active-directory/fundamentals/identity-secure-score. 
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FIGURE 4-70 Identity Secure Score with an Improvement action. 


Chapter summary 


Identity Governance features in Azure AD enable organizations to perform entitlement 
management, access reviews, and Privileged Identity Management (PIM) in a stream- 
line fashion. 

Entitlement management enables organizations to provide just-enough access to the 
users with the ability to track all their activity though Azure AD audit and sign-in logs. 
An Azure AD Premium P2 license is required to perform access review but not to create 
and configure its settings. 

PIM can include resources within the Azure subscription, Azure AD, and various other 
Microsoft Online Services, such as Microsoft 365. 

Emergency accounts in Azure AD play a critical role in making sure that administrative 
tasks against Azure AD can be performed without disruption even when regular user 
accounts with administrative permissions are no longer available. 


Azure AD audit logs help organizations to track system activities across the Azure AD 
tenant for compliance and regularity reasons. 
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m Azure AD sign-in logs provide information about user sign-ins, including authentication 
details, failures during sign-in, device details, location, etc. 


m Azure Sentinel provides security information and event management (SIEM) capabilities 
to Azure AD by ingesting its diagnostic logs. 


m Sign-in logs can be ingested by Microsoft Sentinel, but an Azure AD Premium (P1 or P2) 
license is required. 


m Azure AD Usage & Insights reports provide useful information about application-relat- 
ed sign-in activity in the form of visual dashboards. 


m Identity Secure Score enables you to objectively assess your identity security posture, 
plan security improvements, and, finally, assess the success of those improvements. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


You work as an Azure AD administrator for Woodgrove Bank, a large-scale commercial bank 
that provides financial services to millions of users worldwide. Woodgrove Bank has thousands 
of full-time employees and part-time contractors spread across the globe. Due to cybersecu- 
rity challenges, the Woodgrove CISO has put forward a high-level plan to improve the overall 
security posture of the organization by implementing just-enough access, just-in-time access, 
and security information and event management (SIEM) capabilities on an urgent basis. 


You are assigned to plan and implement these capabilities. 


Woodgrove Bank employees and external contractors use SharePoint Online and Microsoft 
Teams for document sharing and collaboration purposes. Due to the geo-dispersed nature of 
the teams within the bank, it is hard to assign correct access to new employees and to revoke 
access when they switch teams. Also, external contracts find it hard to request access to the 
resources. This creates overhead for administrators who need to grant access to the external 
contractors on an ad-hoc basis without proper workflow. This is identified as a security risk that 
needs to be remediated. 


Woodgrove bank currently does not have any monitoring in place, which makes it very hard 
to track what is happening in the environment. Administrators manually download activity logs 
(particularly sign-in logs) on an ad-hoc basis, but they don’t have the ability to view reports in 
the form of dashboards that can provide a comprehensive breakdown of sign-ins and system- 
wide activity within the Azure AD tenant. 


Finally, Woodgrove Bank has a regularity requirement to track and archive system activities 
including creation, updating, and deletion of user accounts up to 365 days. It is also required to 
export sign-in logs to various third-party SIEM providers. 
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With this information in mind, answer the following questions: 


1. What is needed to be implemented to automate the access request process to the 
required resources by employees and external contractors? 


2. What type of Azure AD diagnostic log appropriately tracks the creation, updating, and 
deletion of the user accounts? 


3. How should SIEM capabilities to monitor and analyze activities within the environment 
be achieved? 


4. Which Azure service should sign-in logs be sent to so that third-party SIEM providers 
can access them? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. Access package. With an access package, an administrator can bundle the resources 
such as SharePoint Online, Teams, etc. with the correct access that a user needs to per- 
form the job. Instead of granting access to individual resources, access packages help to 
grant or remove access in a more streamlined fashion. 


2. Azure AD audit logs. The Azure AD audit logs provide records of system activities, 


including creation, updating, and deletion of user accounts. 


3. Azure Sentinel. Azure Sentinel has built-in security information and event manage- 
ment (SIEM) capabilities, which include features like workbooks that provide reporting 
through visual dashboards, which can be used for monitoring and analytics. 


4. Azure Event Hub. Azure supports sending sign-in logs to Azure Event Hub, which can be 
read by SIEM tools for further processing. 
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permissions SSPR (self-service password reset), 110-112 
app consent, blocking users, 209 authorization. See application authorization 
app management roles, 208-212. See also roles Azure AD (Active Directory). See also monitoring Azure AD 
App passwords, MFA service settings, 118 access management, 22 
app provisioning, 225-228 access reviews, 313 
app registrations, 240-250 administrative units, 11-14 
app roles, creating, 257-260. See also roles analyzing, 352-355 
Application Activity report, ADFS (Active Directory app registration control, 209 
Federation Services), 207-208 application gallery, 216-219 
application admin roles, 245. See also roles Application Object key properties, 241 
application authorization, 250-260 application properties, 219 
application behavior controls, 218 audit logs, 234-236 
Application ID URI, 250 CBA (certificate-based authentication), 144-146 
application management, built-in roles, 212-215 conditional access app control, 266-270 
Application Objects, 241-244 configuring delegation, 11-14 
application ownership, 211-212 configuring notifications, 356 
application permissions, 250-260 Cost Analysis tool, 323 
Application Proxy, 229-234 custom domains, 16-20 
application registrations, implementing, 244-250 data location, 21 
application user provisioning, 225-229 design strategy for monitoring, 336 
apps. See also access management; Azure AD diagnostic logs, 349 


Application Proxy dynamic groups, 29 
access reviews, 306-311 
discovering, 202-208 


planning access reviews for, 305 


email one-time passcodes, 52-54 
emergency accounts, 5 


external user accounts, 51-54 
publishing in gallery, 225 


ArcSight tool for SIEM, 348 
assignments 


features, 1 

Group Expiration policy, 33 

group nesting, 28 

access packages, 300 Identity Governance, 153 
eligible and active, 327 

audit, Azure AD admin center, 336-344 

audit history and reports, PIM (Privileged Identity 
Management), 330-333 


identity providers, 54-56 

IdFix tool, 61 

integrating SaaS applications, 220-225 
inviting users, 45-50 
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LinkedIn accounts, 22 
Password Protection, 140-142 
privacy information, 20 
Privileged Identity Management, 5 
resending invitation emails, 51 
sign-in logs schema, 337 
smart lockout, 143-144 
SSO (Single Sign-On), 36 
tenancy, 260 
tenant setup, 1 
tenant-wide settings, 20-22 
usage insights, 236-237 
What If tool, 148-149 
Azure AD admin center. See also monitoring Azure AD 
audit, 336-344 
provisioning logs, 336-344 
sign-in, 336-344 
workbooks and reporting, 352-355 
Azure AD Application Proxy, 229-234. See also apps 
Azure AD B2B, 40-42, 44 
federation, 54-56 
guests invite, 50 
user credentials, 52 
Azure AD Connect 


and ADFS (Active Directory Federation Services), 
84-91 


installation prerequisites, 83 

troubleshooting synchronization, 99-101 
Azure AD Connect cloud sync, hybrid identity, 66-74 
Azure AD Connect Health, hybrid identity, 91-98 
Azure AD Connect, hybrid identity, 57-66 
Azure AD DS, email addresses, 356 
Azure AD identities 

device joins and registrations, 33-37 


device writeback, 37 
groups, 26-33 
licenses, 37-40 
SAML, 54-56 
users, 23-25 
writeback, 33-37 
WS-Fed, 54-56 
Azure AD Identity Governance 
connected organizations, 298-299 
lifecycle of external users, 297-298 
overview, 283 


Azure resource roles 


Azure AD Join, 34 

Azure AD logs, integrating with Azure Monitor, 186 
Azure AD P2 license, 301-302, 320 

Azure AD Registration, 34 


Azure AD roles. See also administrative roles: app roles; 
application admin roles; Azure AD roles; custom roles 


for application management, 212-213 
assigning, 190-191 
assigning membership, 322-323 
assigning to applications, 258-259 
assigning to groups, 259-260 
assigning to users, 259-260 
configuring, 191-192 
configuring and managing, 3-11 
documentation, 11 
Graph API, 11 
permissions, 14-16 
PIM (Privileged Identity Management), 320-328 
planning access reviews for, 306 
resources about, 4 
Azure AD user authentication 
Linux virtual machines, 146-147 
planning for, 124-125 
Windows virtual machines, 146-147 
Azure MFA 
access management, 108 
enforcing, 160 
evaluating, 125 
licensing requirements, 107-108 
planning deployment, 106-108 
registration policy, 175-176 
rollout strategy, 107 
supported devices, 123 
Azure monitor, 344-349. See also monitoring Azure AD 
Azure portal 
Azure AD roles, 5-7 
bulk inviting guests, 49-50 
creating groups, 27-28 
creating users, 23-25 


Azure resource management, PIM (Privileged Identity 
Management), 328-329 


Azure resource roles 
access reviews, 313 
planning access reviews for, 306 
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banned passwords 
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banned passwords, 135-140. See also passwords 
Block User, Risky Users report, 179 
Block/unblock users, MFA service settings, 119 


break-glass accounts, PIM (Privileged Identity 
Management), 334 


BYOD (Bring Your Own Device), 34 


C 


CAE (Continuous Access Evaluation), 167 
CallerlPAddress, sign-in log schema, 337 
CASB (Cloud Access Security Broker), 202 
catalogs, entitlement management, 286-288 
Category filter, audit logs, 343 


CBA (certificate-based authentication), 144-146. 
See also authentication 


certificate, App Registration, 248-249 
claims and token types, 249 
ClaimsXray app 
custom SSO integration, 221-225 
role claim, 256 
Client Secret, App Registration, 248-249 


cloud apps. See MCAS (Microsoft Cloud App Security); 
Microsoft Defender for Cloud Apps 


Collaboration restrictions, Azure AD, 44. See also 
external collaboration 


combined registration feature, 125 
conditional access 

app control, 266-270 

CAE (Continuous Access Evaluation), 167 

deployment planning, 151 

device-enforcement restrictions, 165-166 

enforce MFA, 160 

evaluation, 167 

licensing requirements, 149-150 

policies, 262 

security defaults, 152 

session management, 165 

ToU (Terms of Use), 153-159 

Windows Hello for Business, 134 
conditional access policies 

assignments, 152-153 

controls, 159 

creating from templates, 167 


deployment planning, 151 
planning, 147-148 

and Sign-in risk signal, 160 
terms of use, 296 

testing, 161-162 
troubleshooting, 163-164 


connected organizations, configuring and managing, 
298-299 


connectors to apps, configuring, 264-265 


consent settings, implementing and configuring, 
238-240. See also admin consent 


Cost Analysis tool, 323 

custom app integration, 220-225 
custom domains, Azure AD, 16-20 
custom roles, 213-215. See also roles 
CustomApp, 241-242 


D 


data location, Azure AD (Active Directory), 21 
Date filter, audit logs, 343 

delegated permissions, 251 

delegation, Azure AD (Active Directory), 11-14 


device joins and registrations, Azure AD identities, 33-37 


Device writeback, Azure AD identities, 37 
diagnostic logs, Azure AD, 349 

diagnostic settings, configuring, 345-347 

DNS names, adding, 19 

domains, Azure AD (Active Directory), 16-20 
Dual Enrollment, Windows Hello for Business, 133 
dynamic groups, Azure AD (Active Directory), 29 
Dynamic Lock, Windows Hello for Business, 133 


E 


effective permissions, 251 
eligible and active assignments, 327 
email addresses, Azure AD DS, 356 
email one-time passcodes, Azure AD, 52-54 
Enterprise application, 234-237 
entitlement management 
access packages, 288-293, 300-301 
access requests, 293-294 
catalogs, 286-288 
per-user entitlement, 299-300 
planning entitlements, 284-286 
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roles and tasks, 285-286 

ToU (Terms of Use), 295-297 
error codes, analyzing for troubleshooting, 340 
Event Hub, 345-347 
Exchange Online, 262 


external collaboration, Azure AD, 41-44. See also 
Collaboration restrictions 


external users. See a/so users 
accounts, 45-50 
lifecycle in Identity Governance, 297-298 


F 


Federated Credentials, App Registration, 248-249 
Federation, hybrid identity, 82-91 

FIDO2 security key authentication, 124-132 

Fraud alert, MFA service settings, 119 


G 


Global Administrator, Azure AD, 21 
Graph API 

access reviews, 314 

Azure AD roles, 11 
Group Expiration policy, Azure AD, 33 
group nesting, Azure AD (Active Directory), 28 
groups 

access reviews, 306-311 

assigning to roles, 259-260 

Azure AD identities, 26-33 

planning access reviews for, 304 

privileged access, 329 
groups and apps, access reviews, 306-311 


guest permissions, Azure AD, 43-44. See also 
permissions 


guest user account, removing, 297 
guests, bulk inviting in Azure AD, 49-50 


H 


Hybrid Azure AD Join, 34-36 
hybrid identity. See also Identity 
ADFS deployment, 82-91 
Azure AD Connect, 57-66 
Azure AD Connect cloud sync, 66-74 
Azure AD Connect Health, 91-98 
Federation, 82-91 
PHS (Password Hash Synchronization), 74-77 


Logic Apps 


PTA (Pass-Through Authentication), 77-81 
SSO (Single Sign-On), 81-82 
synchronization errors, 99-101 


Identity, sign-in log schema, 337. See also hybrid identity 
Identity Governance, Azure AD, 153 

identity lifecycle, 283 

Identity platform, protocols, 221 


Identity Protection. See AADIP (Azure AD Identity 
Protection) 


identity providers, Azure AD (Active Directory), 54-56 
Identity Secure Score, 357-358 

IdFix tool, Azure AD (Active Directory), 61 

idToken, 249 

invitation email, resending in Azure AD, 51 


J 

Join 
Hybrid Azure AD, 34-36 
Workplace, 34 


K 


KDC (Key Distribution Service), 140 


Key Vault RBAC and policies, 196-198. See also RBAC 
(role-based access control) 


KQL (Kusto Query Language), 348-352 


L 


licenses 
access reviews, 301, 318 
Azure AD identities, 37-40 
Azure AD P2, 301-302, 320 
external identities, 44 
PIM (Privileged Identity Management), 324 
sign-in logs, 339, 345 
Linked application, Azure AD gallery, 216 
LinkedIn accounts, Azure AD (Active Directory), 22 
Linux virtual machines, user authentication, 146-147 
LOB (line-of-business) applications, 240-244 
Location, sign-in log schema, 337 
locked accounts, 143-144 
Log Analytics, 345-352 
Logic Apps, 293 
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malicious applications, dealing with 


M 


malicious applications, dealing with, 255 
ManagedldentitySigninLogs, Log Analytics, 349 
MCAS (Microsoft Cloud App Security), 202-205 
MFA (Multifactor Authentication) 
access management, 108 
enforcing, 160 
evaluating, 125 
licensing requirements, 107-108 
planning deployment, 106-108 
registration policy, 175-176 
rollout strategy, 107 
supported devices, 123 
MFA registration policy, 175-176 
MFA settings 
activity monitoring, 123 
implementing and managing, 115-119 
third-party and on-premises devices, 122-123 
for users, 119-122 
Microsoft Authenticator app, 124 
Microsoft Defender for Cloud Apps 
access policies, 270-274 
architecture, 203 
cloud discovery, 203-204 
conditional access, 266-270 
configuring connectors, 264-265 
connectors to apps, 264-265 
implementing restrictions, 261-264 
limiting SharePoint sites, 263-264 
policies for OAuth apps, 275-278 
sanctioned apps, 205 
session policies, 270-274 
using, 202-208 
Microsoft Identity, protocols, 221 


monitoring Azure AD. See also Azure AD admin center; 
Azure monitor 


designing a strategy, 336 

KQL queries, 348-352 

Log Analytics, 348-352 

notifications, 356 

using, 335 
Multifactor Unlock, Windows Hello for Business, 133 
multi-tenant apps, 260. See also tenant-wide settings 
My Access portal, 286, 293, 315-316 


N 


NonInteractiveUserSignInLogs, Log Analytics, 349 
Notifications, MFA service settings, 119 


(0) 


OATH tokens, MFA service settings, 119, 125 
OAuth apps, policies, 275-278 
OAuth authorization, 221 
OAuth2 protocol, 251, 253 
OIDC (OpenID Connect) authentication, 221, 225 
scope, 252 
tokens, 253 
on-premises apps, integrating, 229-234 
OpenID Connect application, Azure AD gallery, 216 
OperationName, sign-in log schema, 337 
organizations. See connected organizations 
OTP (one-time passcode), 298 


P 


password protection, 135-142. See also SSPR (self-service 
password reset) 


passwordless authentication, 125 
passwords. See also banned passwords 
authentication, 124 
banned list, 135 


permissions. See also API permissions; application 
permissions; guest permissions; role permissions 


Azure AD roles, 8-11 

and scopes, 250-254 

users and guests, 43 
per-user entitlement, reviewing, 299-300. See also users 
Phone call settings, MFA service settings, 119 
PHS (Password Hash Synchronization), 61, 74-77, 81 
PII (Personally Identifiable Information), 338 
PIM (Privileged Identity Management) 

assignment settings, 327-328 

audit history and reports, 330-333 

Azure resource management, 328-329 

Azure roles, 320-323 

break-glass accounts, 334 

configuring for Azure AD roles, 324-328 

cost benefit analysis, 323 

licensing, 324 
PIN Reset, Windows Hello for Business, 134 
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privacy information, Azure AD (Active Directory), 20 
privileged access 

break-glass accounts, 334 

groups, 329 

overview, 320 
provisioning, support for, 225-228 
provisioning logs, Azure AD admin center, 336-344 
ProvisioningLogs, Log Analytics, 349 
PRT (Primary Refresh Token), 81 


PTA (Pass-Through Authentication), 61, 77-81. See also 
authentication 


R 

RBAC (role-based access control), 190. See also Key Vault 
RBAC and policies 

registration. See app registrations 

Remember MFA on trusted device, MFA service settings, 118 

Remote Desktop, Windows Hello for Business, 133 


reporting and workbooks, Azure AD admin center, 
352-355 


resource identifier, 250 
resource roles 

access reviews, 313 

planning access reviews for, 306 
REST APIs, SCIM standards, 229 
restrictions, implementing, 261-264 
ResultDescription, sign-in log schema, 337 
ResultType, sign-in log schema, 337 


Risk Detections report, AADIP (Azure AD Identity 
Protection), 182 


risk remediation, AADIP (Azure AD Identity Protection), 
183-184 


risk reports, AADIP (Azure AD Identity Protection), 176 
RiskDetail, sign-in log schema, 337 

RiskEventTypes, sign-in log schema, 337 
RiskLevelAggregated, sign-in log schema, 337 
RiskLevelDuringSignin, sign-in log schema, 337 
RiskState, sign-in log schema, 337 


Risky Sign-ins report, AADIP (Azure AD Identity 
Protection), 179-181 


Risky Users report, AADIP (Azure AD Identity 
Protection), 177-179 


RiskyUsers, Log Analytics, 349 
role permissions, analyzing, 195. See also permissions 
Role-Based Access Control, 11 


SIEM integrations, AADIP (Azure AD Identity Protection) 


roles. See also administrative roles: app roles; application 
admin roles; Azure AD roles; custom roles 


for application management, 212-213 
assigning, 190-191 

assigning membership, 322-323 
assigning to applications, 258-259 
assigning to groups, 259-260 
assigning to users, 259-260 
configuring, 191-192 

configuring and managing, 3-11 
documentation, 11 

Graph API, 11 

permissions, 14-16 

PIM (Privileged Identity Management), 320-328 
planning access reviews for, 306 
resources about, 4 


S 


SaaS (Software as a Service), 202, 225 
SaaS apps 
integrating with Azure AD, 219-225 
for SSO, 220-225 
SAML (Security Assertions Markup Language), 225 
SAML application, Azure AD gallery, 216 
SAML authentication, 221 
SAML claims, 221 
saml2Token, 249 


SCIM (System for Cross-Domain Identity Management), 
226, 229 


scopes and permissions, 250-254 

SCP (Service Connection Point), 35 

security posture, improving, 357-358 

separation of duties checks, access packages, 300-301 
Service filter, audit logs, 343 

Service Principal Objects, 241-244 
ServicePrincipalSignInLogs, Log Analytics, 349 
session management, implementing, 165 


session policies, Microsoft Defender for Cloud Apps, 
272-274 


SharePoint online, 262 

SharePoint sites, limiting, 263-264 

SIEM (Security Information and Event Management), 176 
sign-in and audit logs, 347-348 

SIEM integrations, AADIP (Azure AD Identity 
Protection), 185 
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sign-in 


sign-in 
Azure AD admin center, 336-344 
event details, 237 
troubleshooting, 181 
sign-in activity, accessing, 338-339 
sign-in logs 
exporting to SIEM, 347-348 
ingesting, 345 
schema, 337 


sign-in risk policies, AADIP (Azure AD Identity 
Protection), 172-174 


Sign-in risk signal, and conditional access policies, 160 
SigninLogs, Log Analytics, 349 
smart lockout and password protection, 135-144 
Splunk tool for SIEM, 348 
SSO (Single Sign-On), 225 
ADFS (Active Directory Federation Services), 205-206 
Azure AD (Active Directory), 36 
hybrid identity, 81-82 
SSPR (self-service password reset), 108-115. See also 
password protection 


Status filter, audit logs, 343 

storage accounts, 345-347 

Sumo Logic tool for SIEM, 348 
synchronization errors, hybrid identity, 99-101 


T 


teams, configuring for access reviews, 307 
tenant setup, Azure AD (Active Directory), 2 
Tenantld, sign-in log schema, 337 


tenant-wide settings, Azure AD (Active Directory), 
20-22. See also multi-tenant apps 


text messages authentication, 124 
threat scenarios, 261 
Time, sign-in log schema, 337 
token configuration, app registration, 249 
tokens, OAuth2.0/OIDC, 253 
ToU (Terms of Use) 
conditional access policies, 153-159, 161 
entitlement management, 295-297 
trigger custom Logic Apps, 293 
troubleshooting 
analyzing error codes for, 340 
working with PII data, 338 
Trusted IPs, MFA service settings, 118 


U 


unlocking accounts, 144 

UPN (User Principal Name), 16 

usage insights, 236-237 

UsageLocation, licenses, 38 

user accounts. See external users 

user authentication. See also authentication 
Linux virtual machines, 146-147 
planning for, 124-125 
Windows virtual machines, 146-147 

user consent settings, 238-240 


user risk policies, AADIP (Azure AD Identity Protection), 
168-172 


UserRiskEvents, Log Analytics, 349 
users. See also external users; per-user entitlement 
assigning to roles, 259-260 
Azure AD identities, 23-25 
blocking for app consent, 209 
and guest permissions, 43 
inviting in Azure AD, 45-50 
MFA settings, 119-122 


V 


Verification Options, MFA service settings, 118 
VMs (virtual machines), 146-147 
voice call authentication, 124 


Ww 


What If tool, Azure AD (Active Directory), 148-149 
Windows Hello for Business authentication, 124, 132-135 
Windows virtual machines, user authentication, 146-147 


workbooks and reporting, Azure AD admin center, 
352-355 


Workplace Join, 34 
writeback, Azure AD identities, 33-37 
WS-Fed, Azure AD identities, 54-56 
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